r- 


DC, 


THE  RESOURCE  FOR  SECURIT 


USAA 


Insurance 
giant  USAA 
shows  how 
practicing 
for  disaster 
can  keep  you 
business  up 
and  running 


mm. 


si. 


-  ■■> 


Also  Xnside 

Doutle  Dose:  A  CSO-CIO 
dyo  makes  strong  medicine 
for  hospital  security 

PAGE  30 

Tapping  into  ISACs 
(and  other  information 
sharing  groups) 

PAGE  52 

FOIA:  Do  you  know 
what  it  really  means  \ 
for  your  company? 

PAGE  46 

Why  antivirus  software 
isn’t  the  answer 

PAGE  59 


PAGE  38 


USAA’s  John 
Blaha  (left) 
and  Steve 
Yates  at  the 
entrance  to  a 
HazMat  tent 


November  2002  $6.95 


www.csoonlme.com 


Introducing  UnityOne  from  TippingPdint 


Technologies 


Full  2  Gbps  Network  Defense  System 

Software-based  solutions  running  on  Pentium®,  SPARC™,  or 
MIPs  processors  are  too  slow  to  offer  real-time  network 
defense.  UnityOne  is  built  on  custom  security-specific  processors 
designed  for  ultra  high-speed  network  security  applications. 

Stops  Worms,  Viruses, 
Trojans,  Blended  Threats,  DDoS 

Blocks  thousands  of  attack-types  based  on 
absolute  attack  filters. 

Digital  Vaccine™  Update  Service 

Digital  Vaccines™  are  developed  and  delivered  by 
TippingPoinfs  Threat  Management  Center  which  monitors  over 
10,000  sensors  around  the  world  to  rapidly  inoculate  UnityOne 
systems  against  first-strike  attacks. 

High  Availability  Mode 

Active-Active  Redundant  Protection. 

Up  to  40  Physical  Security  Zones 

Prevents  both  external  and  internal  attacks.  Security  policies 
can  be  set  to  protect  by  user,  department  and  site. 


The  Active  Network  Defense  System  that 
protects  networks  at  2  Gbps 

UnityOne™  is  a  security  breakthrough.  It  is  an  ultra-high 

performance  active  network  defense  system  that  blocks 

network  attacks  before  critical  resources  are  damaged. 


Protect. 

Active  Network  Defense 


UnityOne  becomes  a  seamless  element  of  the  network 
infrastructure  -  shooting  down  Internet  and  Intranet 


attacks  in  real  time.  In  delivering  pre-emptive  network 
defense,  UnityOne  is  unyielding  to  hostile  information 
attacks.  Worms,  viruses,  trojan  horses,  blended 
threats,  multi-headed  threats,  hybrid  attacks,  DoS  and 


DDoS  attacks  are  all  vanquished  at  2  gigabits  per  second. 


Active  Network  Defense  Architecture 


Copyright  ©  2002  TippingPoint  Technologies.  UnityOne  is  a  trademark  of  TippingPoint  Technologies. 


BUSINESS  REPLY  MAIL 

FIRST-CLASS  MAIL  PERMIT  NO.  152  FRAMINGHAM  MA 


POSTAGE  WILL  BE  PAID  BY  ADDRESSEE 

cso 

ATTN:  CIRCULATION  DEPARTMENT 
PO  BOX  9014 

FRAMINGHAM  MA  01701-9836 


in 


III.I..I..I...II..II...I 


www.csoonline.com 


Howto 


they  should,  or  the/B  W  no attention. 

.MH.***—  ***-*,-*"••  *  """"  <**""** 


SUBSCRIBE  TODAY! 

Yes,  please  enter  my  one-year  subscription 
(12  issues)  to  CSO  magazine,  and  bill  me 
later  for  $64.95! 


Name 


Title 


Company  Name 


Address 


City 


State  Zip 


□  Bill  me  □  Bill  my  credit  card  □  MC  □  VISA  □  AMEX 


Account  Number  Expiration  date 


This  is  a  domestic  rate  only  (US  and  Canada). 

The  foreign  rate  is  $105.00  prepaid  in  U.S.  currency.  Signature 


CIN02 


UnityOne  Defends  at  2  Gbps 

UnityOne  performs  high-speed  packet  and  flow  reassembly,  stateful  inspection, 
packet  classification  and  unanchored  content  searching.  The  following  table 
shows  UnityOne's  performance  in  terms  of  Intel®  Pentium®  Equivalents  (PE). 


A  Level  of  Security  Beyond  the 
Firewall  and  IDS 

Network  defense  systems  are  an 

emerging  class  of  products  that 

significantly  improve  network  security. 


Fast. 

at  2  Gigabits  per 


Packet  Size 

UnityOne" 

Pentium  Equivalents*(PE) 

64  bytes 

(Fragmented  Attacks) 

78  PE 

384  bytes 

42  PE 

(Avg.  Enterprise  Packet  Size) 

1500  bytes 

(Max  IP  Packet  Size) 

21  PE 

"Intel*'  Pentium*  III  1  GHz,  768  MB  RAM  when  applied  to  Intrusion  Blocking 
Performance  metrics  derived  from  NSS  Group  -  Europe's  foremost  independent 
network  and  security  testing  organization. 


UnityOne's  processing 
capabilities  include: 

TCP  session  flow  reassembly 

IP  and  UDP  fragment  reassembly 

Session  state  tracking  at  250,000 
sessions  per  second 

Application  layer  protocol  decoding 

Full  regular  expression  matching 
across  multiple  packets 


Fast  Protection  Program 


second 


Aggressive  cyber-attacks  are  accelerating. 
The  TippingPoint  Fast  Protection  Program  is 
a  no-risk  network  lock-down  program. 

Once  qualified,  UnityOne  is  installed  in  your 

network  for  30  days.  At  the  end  of  the 

testing  period,  UnityOne  is  purchased  and 

kept  in  place  or  the  system  can  be  returned. 

To  enroll  in  the  TippingPoint 

Fast  Protection  Program, 

call  a  TippingPoint  Security  Specialist  at 


1-88UNITYONE  or 


visit  www.tippingpoint.com 


UnityOne  strengthens  the  effectiveness  of  firewalls  by 
blocking  hostile  traffic  that  has  infiltrated  open  ports.  And 
while  IDS  products  are  somewhat  useful  in  cleaning  up 


post-attack  damage,  the  amount  of  information 
and  number  of  alerts  they  generate  can  be 
overwhelming.  But  with  UnityOne,  blocked 
attacks  cause  no  damage.  Period. 


UnityOne" 

from  TippingPoint  Technologies 


U1WU1U)1  - 


All  other  trademarks  are  the  property  of  their  respective  owners.  All  rights  reserved. 


IfTW 

'  '  l 

j  A  HI 

ft  \ 

/  y 

■ 

Ijr  H 

f 

Bb  1 

i 

f.  %i 

m  ll 

Protection  in  every  location. 
Managed  and  integrated 
from  one  location. 


Introducing  the  Symantec ™  Security  Management  System. 

For  the  first  time,  security  data  from  multiple  locations, 
multiple  tiers  —  even  multiple  brands  of  information 
security  products  —  can  be  managed  with  a  single  system, 
at  a  single  console.  Which  means  that  enterprise-wide 
policy  compliance  is  finally  a  real  possibility.  It  also  means 
that  because  you've  simplified  your  environment,  you  can 
reduce  your  operating  costs.  And,  most  importantly,  you 
can  now  be  more  responsive  to  new  and  emerging  threats, 
eliminating  them  before  they  do  damage.  It's  part  of  a 
revolution  in  information  security,  a  revolution  that  offers 
better  protection,  efficient  management  and  ensured  business 
continuity  for  your  entire  enterprise.  For  our  latest  White 
Paper,  “Managing  Security  Incidents  in  the  Enterprise ’/  visit 
http://ses.symantec.com/USA659A8VE  or  call  800-745-6054. 


^  Symantec 


f 


rr 


Symantec  Security  Management  Console  Symantec 


1 


November  2 

VO  L  .  1 ,  N  0 . 3 


30  Double  Dose 

THE  CSO  ROLE  Working  together,  CIO  Robert  Pickton  and 
security  executive  Dan  Meacham  are  finding  the  right 
prescription  for  security  at  Baylor  Health  Care  Systems. 
By  Simone  Kaplan 


26  HIPAA-craticOath 

SECURITY  COUNSEL  Lew  Wagner,  CISO  at  the  Univer¬ 
sity  of  Texas  M.D.  Anderson  Cancer  Center,  answers 
readers’  questions  about  HIPAA. 

28  Charting  Ethical  Waters 

FLASHPOINT  Ethics-based  security  policies  will  prevent 
you  from  being  submarined  by  privacy  problems. 

By  David  H.  Holtzman 

64  A  World  of  Difference 

CSO  UNDERCOVER  Moving  from  mainframes  to  net¬ 
work  security?  It’ll  take  more  than  a  new  coat  of  paint. 
By  Anonymous 


Cover  photo  by 
John  Dyer 


38  cover  story  Practice  Makes  Perfect 

BUSINESS  CONTINUITY  As  one  of  the  nation’s  largest  insur¬ 
ance  companies,  USAA  is  in  the  business  of  managing  risk. 
So  it  makes  sense  that— when  faced  with  a  disaster— the 
company  knows  how  to  respond.  By  Daintry  Duffy 

46  Everything  You  Ever  Wanted  to  Know 
About  FOIA  (But  Were  Afraid  to  Ask) 

FEDERAL  LEGISLATION  For  corporate  America,  a  new  exemp¬ 
tion  to  the  Freedom  of  Information  Act  is  a  comforting 
notion— but  one  that’s  vastly  misunderstood.  Here’s  what 
FOIA  is  and  what  it  isn’t.  By  Sarah  D.  Scalet 

52  Safety  in  Numbers 

INFORMATION  SHARING  CSOs  need  trusty  avenues  for  net¬ 
working  and  sharing  confidential  information.  Today  there 
are  more  choices  than  ever  for  connecting  with  peers. 

By  Mary  Kathleen  Flynn 


N  EVERY  ISSUE  6  CSOonline.com  8  Letter  from  the  Editor  10  Letters  66  Index 


DEPARTMENTS 

15  Briefing 

IM  secure;  Security  by  design;  Viruses  on  the  other 
platforms;  CSO’s  cyberdraft  suggestions. 

24  Wonk 

National  security:  The  government  set  out  to  create  a 
national  strategy  to  secure  cyberspace— and  it’s  still  a 
work  in  progress.  By  Julie  Hanson 

59  Machine  Shop 

Antivirus  software:  Can  it  keep  up  with  the  high-speed 
proliferation  of  viruses  and  worms? 

By  Simson  Garfinkel 

68  Debriefing 

Significant  moments  in  security  history. 


4  www.csoonline.com  November  2002 


YOU'RE  PROTECTED  AGAINST  HACKERS,  VIRUSES  AND  WORMS. 

BUT  WHAT  ABOUT  ROSE  IN  BENEFITS? 


eTrust"  Security  Solutions 

Complete  protection  for  your  entire  enterprise. 

When  it  comes  to  protecting  your  business,  you  need  security  that  can  protect  your 
enterprise  from  potential  threats,  no  matter  where  they  may  come  from.  That's  exactly 
what  eTrust  does.  Our  family  of  products  allows  you  to  not  only  safeguard  your  entire 
enterprise,  but  also  view  and  manage  that  security  either  centrally  or  from  multiple 
delegated  locations.  So  you  can  continue  to  grow  and  maximize  new  opportunities 
while  minimizing  your  risk.  And  that's  security  you  can  feel  secure  about. 


Computer  Associates™ 


HELLO  TOMORROW" 


WE  ARE  COMPUTER  ASSOCIATES 


THE  SOFTWARE  THAT  MANAGES  eBUSINESS" 


ca.com/etrust/complete 


©2001  Computer  Associates  International,  Inc.  (CA).  All  trademarks,  trade  names,  service  marks,  and  logos  referenced  herein  belong  to  their  respective  companies. 


cso 


e.eom 


Security 
Counsel 

PHYSICAL 
SECURITY  This 
month,  Bob  Fox, 

Sprint’s  CSO,  is 
available  online  to 
answer  your  ques¬ 
tions  about  physical 
security.  Visit 

SECURITY  COUNSEL  to  post  a  question. 

www.csoonline.com/counsel 


CSO  Research  Centers 

Visit  CSOonline’s  RESEARCH 
CENTERS  for  a  wealth  of 
information.  Centers  include 
archived  articles  from  CSO  and 
its  sister  publications,  webcasts, 
interviews  and  links  to  relevant 
sources. 

SECURITY  EXECUTIVE  Basics, 
profiles  and  member  organizations 
www.csoonline.com/executive 
LEGISLATION  &  POLICY  Laws  and 


Free  Newsletters 

We’ll  bring  CSO  right  to  your  inbox  eveiy 
month— for  free.  CSO  UPDATE  highlights 
the  most  recent  content  posted  on  CSO- 
online.com.  CSO  WANTED  UPDATE  alerts 
you  to  the  latest  security-related  job  open¬ 
ings  in  our  database.  It  takes  only  a  few 
seconds  to  subscribe. 
www.csoonline.com/newsletters 

Get  Alarmed 

Get  informed  opinions  on  security  and  pri¬ 
vacy  from  CSO' s  outspoken  experts.  Senior 
writers  Scott  Berinato  and  Sarah  D.  Scalet 
take  turns  probing  the  issues  that  affect 
you  the  most.  They’ll  make  you  think  and 
maybe  even  smile.  Read  ALARMED  twice  a 
month,  www.csoonline.com/alarmed 

Career  Resources 

Jump-start  or  advance  your  career  with 
postings  in  our  JOB  CENTER  and  the  list¬ 
ings  in  our  EVENT  CALENDAR.  Need 
advice,  ask  our  CAREER  ADVISER,  Joyce 
Brocaglia.  Want  to  know  who  is  where? 
Read  MOVERS  &  SHAKERS. 
www.csoonline.com/career 


liability,  national  security  agencies  and 
organizations 

www.csoonline.com/legislation 
THREATS  &  RECOVERY  Issues  affecting 
corporate  IT,  privacy  and  physical  security 
www.csoonline.com/threats 
STRATEGY  &  MANAGEMENT  Risk 
analysis,  budgeting  and  policies 
www.csoonline.com/strategy 

Only  Online 

EACH  WEEKDAY  Stay  current  by  reading 
our  digests  of  breaking  news  from  around 
the  Web. 

MONDAY 

T ALK  BACK  Visit  each  week  to  share  your 
opinions  on  controversial  security  topics. 

TUESDAY 

SECURITY  CHECK  Quick  and  easy.  Vote 
in  our  weekly  security  poll. 

WEDNESDAY 

ANALYST  REPORTS  Research  and 
analysis  from  respected  sources. 

THURSDAY 

METRICS  Surveys  and  statistics  that  busi¬ 
nesses  can  count  on. 


FRIDAY 

POLITICS  &  POLICY  Weekly  updates  on 
legislation  and  politicking— inside  the  Belt- 
way  and  out. 


THE  RESOURCE  FOR  SECURITY  EXECUTIVES 


President  Walter  Manninen 
Group  Publisher  Gary  J.  Beach 
Publisher  Bob  Bragdon 

EDITORIAL 

Editor  in  Chief  Lew  McCreary 
Executive  Editor  Derek  Slater 
Managing  Editor  Elaine  M.  Cummings 
Managing  Editor,  Production  Cheryl  R.  Asselin 
Senior  Editor  Daintry  Duffy 
Research  Editor  Lorraine  Cosgrove  Ware 
Senior  Writers  Scott  Berinato,  Sarah  D.  Scalet 
Staff  Writer  Simone  Kaplan 
Copy  Chief  Tom  Wailgum 
Asst.  Managing  Editor,  Production  Kathleen  Carr 

Copy  Editors  Kelli  A.  Gauthier  (Assoc.), 

Emily  S.  Henderson,  Sarah  Johnson  (Assoc.) 

Research  Manager  Lynne  Z.  Rigolini 
Editorial  Resource  Manager  Carol  Zarrow 
Editorial  Assistants  Daniel  J.  Horgan,  Joe  Sullivan 

Contributors  Mary  Kathleen  Flynn, 

Simson  Garfinkel,  David  H.  Holtzman, 

Paul  Roberts,  Lew  Wagner 

Editorial  Operations  Specialist  Julie  Hanson 

DESIGN 

Executive  Director,  Art  and  Design  Mary  Lester 
Art  Director  Steve  Traynor 
Senior  Designer  Chandra  Tallman 
Design  Group  Assistant  Rachel  Barnett 

WEBSITE 

Senior  VP/General  Manager,  Online  Tim  Horgan 
Web  Editorial  Director  Art  Jahnke 
Executive  Web  Editor  Martha  Heller 
Web  Editor  Sandy  Kendall 
Web  Writer  Jon  Surmacz 
Online  Technology  Director  Dagmar  Eiben 
Senior  Web  Developer  Ellen  Morey 
Online  Research  Manager  Kathleen  Kotwica 
Audience  Development  Manager  Andrew  Burrell 
Web  Developers  Diane  Chen,  Shannon  Macdonald 
Online  Content  Researcher  Tara  Gillet-Liloia 
Designer  Graham  White 


Founder  Joseph  L.  Levy 

INTERNATIONAL  DATA  GROUP 

Board  Chairman  Patrick  J.  McGovern 
CEO  Pat  Kenealy 


6  www.csoonline.com  November  2002 


PHOTO  BY  NICK  VEDROS 


BPA  INTERNATIONAL  MEMBERSHIP 

Applied  for  August  2002 
©  CXO  Media  Inc. 


Introducing 

KPMG  Consulting’s  New  Name 

AND 

Era  Of  Empowerment. 


We  have  done  more  than  just  change 
our  name.  We  have  chartered  a  new 
beginning.  An  era  of  empowerment. 
Which  positions  BearingPoint — formerly 
KPMG  Consulting — ready  to  assume  the 
lead  as  the  world’s  most  influential  and 
respected  business  advisor  and  systems 
integrator.  But  while  we  have  changed 


our  name  to  BearingPoint,  what  we  have 
not  changed  is  our  mindset — the  desire  to 
get  it  done.  And  get  it  done  right.  Our 
goal  is  to  be  on  everyone’s  list.  At  the  top, 
of  course.  We  will  accomplish  that  goal 
the  same  way  we  have  operated  for  over 
100  years.  One  on  one.  With  practical 
know-how.  With  passion.  Delivering  to 


BearimPoint 

V _ /  Formerly  KPMG  Consulting 

Business  and  Systems  Aligned.  Business  Empowered. " 


our  present  and  future  clients  more  than 
just  consulting.  By  helping  our  clients 
align  their  business  and  systems  to  achieve 
their  desired  goals.  Providing  the  right 
information  to  empower  their  business. 
Because  the  right  information  brings 
knowledge.  And  knowledge  is  power. 
Sharing  it  is  empowerment. 


STRATEGY  &  BUSINESS  PROCESS  |  CUSTOMER  RELATIONSHIP  MANAGEMENT  |  SUPPLY  CHAIN  MANAGEMENT  |  ENTERPRISE  SOLUTIONS 
INTEGRATION  SERVICES  |  INFRASTRUCTURE  SOLUTIONS  |  EMERGING  TECHNOLOGIES  |  MANAGED  SERVICES 


©  Copyright  2002,  BearingPoint,  Inc.  All  rights  reserved. 


Joining  the  Camera  Club 

In  our  weird  new  world,  security  is  a  value  whose  stock  surges 
upward  with  each  and  every  demonstration  of  unsettling 
jeopardy.  We  are  living  now  with  a  host  of  terrors,  some  of 


them  local,  others  more  remote.  New  terror  joins  still-fresh  memories,  stirring 
a  growing  stew  of  anxieties.  As  I  write  this,  in  the  second  week  of  October,  our 
prospective  war  against  Iraq  shares  center  stage  with  a  lethal  sniper  (I  hope 
that  by  the  time  you  read  this  he’s  been  caught).  This  energetic  lunatic  is  cruelly 
taking  out  citizens  innocently  going  about  their  business— mowing  lawns, 
waiting  for  buses,  buying  gas,  walking  into  school.  It  is  an  easy  week  in  which 
to  feel  unsafe. 

When  the  preciousness  of  one  cherished  value  rises,  that  of  others  may  seem 
to  pale  by  comparison.  Last  year,  The  New  York  Times  Magazine  published  an 
article  (“A  Watchful  State,”  by  Jeffrey  Rosen)  that  detailed  the  growing  use  of 
video  surveillance  in  England.  Rosen,  who  called  the  Brits’  widespread  use  of 
closed-circuit  television  (CCTV)  cameras  “a  glimpse  of  the  American  future,” 
noted  that  the  motive  for  its  origins  lay  in  “fear  of  terrorism.”  Years  after  its 
initial  deployment  in  1994,  however,  Rosen  found  that,  although  the  fear  of 
terrorism  remained  undiminished,  the  CCTV  system  had  won  high  popular 
acceptance,  despite  a  wide  gap  between  its  advertised  capabilities  and  the 
operational  reality.  On  some  level,  the  majority  of  citizens  found  the  pervasive 
surveillance  comforting.  Now,  on  any  given  day,  the  average  subject  of  the 
crown  is  seen  by  at  least  300  cameras.  Throughout  the  land  more  than  2.5  mil¬ 
lion  CCTV  cameras  are  now  in  use. 

It  is  tempting  to  imagine  that  the  chances  of  catching  this  week’s  psychopath 
quickly— in  days  or  weeks  rather  than  months  or  never— could  turn  on  our 
having  a  U.K.-style  installed  base  of  surveillance  cameras.  If  neighborhoods 
and  public  places  were  wired  up  for  round-the-clock  video  coverage,  could 
there  be  some  detectable  evidence  of  the  sniper’s  movements  before,  after  and 


perhaps  even  during  the  shootings?  (In  fact,  police  are 
now  reviewing  images  from  a  red-light  scofflaw  camera 
at  an  intersection  near  the  school  shooting  scene  to  see 
whether  a  fleeing  vehicle  may  have  run  the  light  just 
after  the  attack  occurred.  My  guess  is  they’ll  learn  that 
this  apparently  organized  killer  will  have  scrupulously 
observed  the  speed  limit  and  stopped  at  every  light.) 

In  the  nearly  eight  years  since  its  initial  deployment, 
the  British  CCTV  system  has  caught  not  a  single  terror¬ 
ist,  making  the  ROI  on  its  founding  mission  paltry 
indeed.  Chiefly,  it  has  convinced  the  English  that  their 
public  behavior  is  constantly  on  view.  Rosen  posits  that 
this  may  be  exactly  the  intended  effect  of  the  system— 
to  create  a  feeling  of  being  observed  and  an  acquiescent 
conformity.  But  notwithstanding  its  many  enthusiasts, 
criminologists  say  CCTV  can’t  be  linked  to  a  discernible 
drop  in  the  crime  rate.  So,  exactly  what  defensible 
social  purpose  is  being  served? 

Rosen  ends  his  piece  on  a  faintly  optimistic  note. 
America,  he  says,  is  not  England,  where  a  greater  defer¬ 
ence  is  given  to  authority  and  a  higher  premium  placed 
on  conformism.  Still,  the  awesome  anxieties  of  the 
present  moment  will  tempt  many  Americans  to  con¬ 
clude  that  security  should  trump  all  other  values.  CSOs, 
as  members  of  the  best-informed  community  on  many 
of  these  matters,  should  work  to  see  that  any  process 
leading  to  that  conclusion  is  appropriately  thoughtful 
and  rigorous,  not  heedless  and  hasty. 

-Lew  McCreary 
mccrea  ry  @  cxo.  com 


8  www.csoonline.com  November  2002 


PHOTO  BY  WEBB  CHAPPELL 


GET 


IT’S  NOT  OFTEN 
BUSINESS  GETS  A 
LESSON  IN  EFFICIENCY 
FROM  GOVERNMENT 


OUT  YOUR  NOTEPAD. 


r  -  - 


■ 

... 


Without  dismantling  any  system  or  disrupting  any  department,  we  delivered  security,  access  management  and  ROI  to  one  state  government. 
Skeptical?  So  was  the  state  government  until  they  launched  our  Identity  Management  solution.  Want  to  discover  the  kind  of  ROI  your 
organization  can  receive?  Schedule  a  free  assessment  with  our  proprietary  Identity  Management  Value  Calculator  ToolSM  and  learn  how  you 
can  save  time,  money  and  resources.  Call  (800)  639-7576  or  visit  www.pwcglobal.com/roi.  Write  it  down. 


The  Evolving  Role  of  CSO 

I’M  PRESIDENT  OF  THE  INTERNATIONAL 

Security  Management  Association  (ISMA), 
which  represents  CSOs  of  more  than  300 
of  the  largest  global  corporations. 

I  was  interested  in  your  article  [“Taming 
the  Two-Headed  Beast,”  September  2002] 
and  what  appeared  at  the  outset  to  frame  a 
very  biased  and  demeaning  portrayal  of 
security  executives  who  have  a  limited 
portfolio  of  security  responsibilities.  As  I 
continued  reading,  your  tone  placed  the 
physical  security  mission  in  a  more  realistic 
and  open  light,  but  your  journal’s  over¬ 
whelming  IT  and  CISO  influence  fails  in 
my  opinion  to  accurately  represent  the 
evolving  CSO  role.  Your  recent  survey  “The 
Evolution  of  the  Chief  Security  Officer” 
[available  at  www.csoonline.com/print 
links']  clearly  discusses  the  narrower  chief 
information  security  officer  position  versus 
those  of  us  who  increasingly  have  the 
broader  corporate  protection  mission. 
Unfortunately,  the  intellectual  arrogance  of 
some  infosec  individuals  I  have  known  is 
reflected  in  your  references  to  some  ele¬ 
ments  of  our  mission. 

You  consistently  state  or  imply  that  the 
two  disciplines  encompass  your  magazine’s 
definition  of  a  CSO.  The  notion  that  a  certi¬ 
fication  for  the  information  systems  secu¬ 
rity  professional  (CISSP)  is  the  “Good 
Housekeeping”  seal  for  a  CSO  and  that  an 
ASIS  International  certified  protection 
professional  (CPP)  represents  only  a  physi¬ 
cal  security  certification  underscores  the 


misconception  of  this  far  broader  role. 
Many  of  my  ISMA  colleagues  are  CPAs, 
certified  fraud  examiners,  attorneys, 
and  they  are  certified  in  disaster 
recovery  and  other  professional  dis¬ 
ciplines.  You  should  be  aware 
that  ASIS  is  working  on  a 
national  standard  description 
for  the  CSO  position  that  acknowledges  a 
set  of  skills  and  competencies  far  broader 
than  those  found  in  security  managers  with 
limited  responsibility. 

Your  article  rightly  offers  multiple  exam¬ 
ples  in  approaching  an  “integrated”  secu¬ 
rity  management  model.  The  corporate 
culture  around  governance,  the  notion  of 
management  accountability,  and  officer 
and  shareholder  perceptions  of  security- 
related  risk  all  combine  to  influence  how 
the  various  elements  of  enterprise  security 
will  be  structured  and  directed.  It  has 
never  been  as  simple  as  physical  versus 
information  security.  [Sprint  CSO]  Bob 
Fox  summed  it  up  best  when  he  said, 
“Security  is  security,  whether  it’s  in  the 
physical  or  IT  realm.” 

GEORGE  CAMPBELL 

President,  ISMA 

gcampbell70@attbi.com 

CPP  Requirements 

YOUR  ARTICLE  [“YOUR  CERTIFIABLE,” 

October  2002]  indicates  that  years  of  secu¬ 
rity  expertise  are  not  required  for  a  CPP. 
Let  me  provide  you  with  the  requirements, 
besides  the  written  exam,  background 
check  and  recertification  every  three  years: 

1.  You  must  have  nine  years  of  security 
experience,  including  at  least  three  years  of 
being  in  charge  of  a  security  function. 

2.  Or  you  need  a  bachelor’s  degree  or 
higher  from  an  accredited  institution  and 
seven  years  of  security  experience,  includ¬ 
ing  at  least  three  years  of  being  responsible 
for  a  security  function. 

Documentation  for  education  is  not 
needed  if  eligibility  requirements  based  on 
years  of  experience  are  met.  If  education  is 
used,  official  certified  transcripts  must  be 


10  www.csoonline.com  November  2002 


THE  RESOURCE  FOR  SECURITY  EXECUTIVES 


How  to  Reach  Us 

E-MAIL 

csoletters@cxo.com 

PHONE 

508  872-0080 

FAX 

508  879-7784 

ADDRESS 

CSO  Magazine 

492  Old  Connecticut  Path,  P.0.  Box  9208 
Framingham,  MA  01701-9208 

SUBSCRIBER  SERVICES 

phone:  866  354-1125 
fax:  847  564-9002 
e-mail:  cso@omeda.com 

REPRINTS 

Reprints  are  available  by  calling  Reprint  Services 
at  651  582-3834,  or  via  e-mail  at 
csoreprints@reprintservices.com. 


ABOUT  IDG  International  Data  Group  (IDG),  the  leading 
global  provider  of  IT  media,  research,  conferences  and 
events,  informs  more  people  about  technology  than  any 
other  company  in  the  world.  Offering  the  widest  range 
of  media  options,  IDG  reaches  more  than  120  million 
technology  buyers  in  85  countries  representing  95  per¬ 
cent  of  worldwide  IT  spending.  IDG  publishes  more 
than  300  newspapers  and  magazines  in  85  countries, 
led  by  the  Computerworld,  Infoworld,  Macworld.  Net¬ 
work  World.  PC  World  and  CIO  global  product  lines.  IDG 
offers  online  users  the  largest  network  of  technology- 
specific  sites  around  the  world  through  IDG.net 
(www.idg.net),  a  gateway  to  IDG's  330  websites  pow¬ 
ered  by  more  than  2,000  journalists  reporting  from 
every  continent  in  the  world.  IDG  also  produces  168 
technology-related  conferences  and  events,  and 
research  company  IDC  provides  global  market  intelli¬ 
gence,  analysis  and  forecasts  in  43  countries. 


received  by  the  CPP  program  office. 

3.  The  applicant  must  not  have  been 
convicted  of  any  criminal  offense  that 
would  reflect  negatively  on  the  security 
profession,  ASIS  and  the  CPP  program. 

I  submit  to  you  that  physical  security  is 
more  than  using  “toys,”  like  access  cards, 
electronic  gates  and  CCTV  cameras.  It’s 
proper  personnel  screening,  standard  oper¬ 
ating  procedures  and  policies  to  guide  the 
organization,  incident  management,  crime 
prevention  through  environmental  design, 
investigations,  fraud  prevention,  staff  secu¬ 
rity  awareness,  travel  security  programs, 
and  a  host  of  other  issues. 

JOSEPH  A.  ZACCARI,  CPP 

President  and  CEO,  Jaz  Consulting 

jazlimited@novus-tele.net 


You’re  the  king.  Strong.  Safe.  Protected.  Right?  Wrong.  NetScreen  can.  NetScreen’s  line  of  purpose-built  security 


The  fact  is,  if  your  network  isn’t  protected  by  NetScreen,  you  systems  and  appliances  has  the  flexibility  and  performance 

could  be  far  from  safe.  You  see,  technological  advances  don’t  to  handle  new  threats.  And  evolve  with  them.  Keeping  not 

only  occur  in  the  corporate  world.  Predators  —  inside  and  only  the  central  site  connected  and  secure,  but  also  your 
outside  your  network  —  have  also  made  leaps  and  bounds.  wireless  LANs  and  remote  offices.  NetScreen’s  solutions 
Trojan  Horses.  Worms.  Nimda.  Code  Red.  Denial  of  Service  offer  integrated  VPN,  firewall  and  network  attack  blocking, 
attacks.  All  emerging  threats  that  many  legacy  security  All  of  which  are  key  to  keeping  predators  under  control, 

solutions  just  can’t  handle.  And  your  entire  enterprise  out  of  trouble.  Find  out  more 

about  securing  your  place  at  the  top.  Download  a  white  paper 
on  protecting  your  network  from  the  new  generation  of 
security  threats  at  www.netscreen.com/ad/na_cs. 

■  .  v 

NetScreen • 

^  Scalable  Secucity  Solutions 


QJ 

C 

>> 

a; 

c 

g 

0 J 

* 

o 

a 

o 

cj 

Q. 

E 

o 

ai 

> 

'5 

n. 

CD 

v-J 

■a 

CJ 

Cl 

C 

c 

c 

05 

u/i 

CJ 

k_ 

<U 

c 

t! 

a 

O 

o 

o 

2 

Q. 

3 

o 

un 

o 

2 

£ 

o 

1 

9 

O 

C 

05 

c 

o 

c 

0J 

o 

05 

O 

'G 

2 

o 

2 

2 

O 

o 

s 

o 

a. 

o 

*-> 

.2 

IS 

o 

tS) 

10 

E 

i-n 

o 

CJ 

Oj 

2 

0 

Find  confidence 
in  the  midst  of  chaos. 


Focus  on  the  best  in  network  security,  every  step  of  the  way. 

Start  with  a  secure  foundation. 

Our  operating  system,  IPSO,  is  built  from  the  ground  up  for  security.  It  eliminates  many 
vulnerabilities  common  to  general-purpose  servers,  and  also  incorporates  our  patented  IP 
Clustering  technology.  Multiple  Nokia  security  appliances  can  be  linked  as  one,  on  the  fly, 
for  new  levels  of  performance,  reliability  and  scalability. 

Integrate  the  best  in  network  security  expertise. 

Partners  like  Check  Point  Software  Technologies,  Internet  Security  Systems  and  F5  help  us 
deliver  the  full  capabilities  of  their  VPN,  firewall,  intrusion  protection,  and  Internet  traffic 
management  applications.  Our  continuing  deep  collaboration  also  keeps  us  abreast  of 
changing  threats  and  accelerates  the  development  of  new  products,  to  help  our  customers 
meet  both  external  and  internal  threats  with  greater  peace  of  mind. 

Nokia  security  appliances  are  compatible  with  any  IP  network. 

Whether  you’re  extending  VPNs  to  remote  offices,  business  partners  and  traveling 
employees,  or  improving  the  security  of  central  offices  and  data  centers,  Nokia  security 
appliances  can  answer  your  needs.  To  download  case  studies,  specifications  and  more, 
just  visit  www.nokia.com/ipsecurity/na. 


IMOKIA 

Connecting  People 


>u-r*  •  •  «.j 

:  W  fry#-*  -■■  ■;■'■■■  i '  i 
i?  ■*.■  t;  ;»  .  •  •  •/  v,  v  ■ "  •  '  .■?•  -  . . 

v  \i  *t/4?  -  v  :  ;  *;  v  ' 

*•>'../;  J..  'c\ 


Every  time  someone 
comes  to  your  door, 
a  decision  is  made. 

The  CCD  chip  behind 
the  lens  captures  an  image, 
and  the  microprocessor 
looks  for  a  match. 

One  second  later- 
access  permitted  or 
access  denied. 

The  iris  of  the  human  eye. 
Unique  as  a  snoujf  lake, 
more  absolute  than 
a  fingerprint.  Perfect  key, 
meet  the  perfect  lock. 

Get  in  at  iuiuuj.lgiris.com 


THPBPc:  a  PCACON 

LIARS.  THIEVES  AND  SPIES  NEVER  MAKE 


:U; 


: 


YG 


Ei&aki 


Iris  Access"  3000  froi 


s  \m 


m 


News,  Stats  and  Fast  Facts 

Edited  by  Kathleen  Carr  and  Daintry  Duffy 


»  '■*  »  W 


IM  Secure 


T\ 


AOL’S  INSTANT  MESSENGER,  Microsoft’s  MSN  Messenger  and  Yahoo's  Mes¬ 
senger  have  long  been  popular  among  home  users  and  have  now  made  their 
way  onto  many  business  PCs.  However,  they  may  expose  sensitive  data  or  open 
a  new  door  for  hackers  to  get  into  corporate  networks. 

Outsiders  can  monitor  messages  that  employees  send 
over  the  public  IM  networks  because  the  IM  servers  that 
employees  connect  to  often  lie  outside  a  company’s  net¬ 
work.  In  addition,  viruses— which  exploit  security  holes  in 
all  three  popular  IM  applications— have  spread  this  year. 

Nearly  half  of  the  506  million  IM  users  expected  online 
by  2006  will  be  business  users,  according  to  IDC  (a  sis¬ 
ter  company  of  CSO's  publisher),  which  expects  the  IM 
market  to  boom  from  $72  million  in  2001  to  $781  million 
in  2006. 

To  protect  themselves,  companies  must  gain  control 
over  unauthorized  use  of  public  IM  networks,  according 


Instant  messaging 
has  proven  its 
benefits.  About 
one-third  of 
telecom 
companies  with 
more  than 
100  employees 
surveyed  by 
Yankee  Group  use 
IM  for  customer 
service.  The 
percentage  is 
slightly  lower  in 
financial  services 
and  retail,  with 
31  percent  and 
27  percent, 
respectively. 


to  Yankee  Group 
Program  Manager 
Paul  Ritter.  Compa¬ 
nies  can  secure  their 
IM  traffic  by  bringing 
IM  infrastructure 
in-house  through 
proprietary  products 
like  IBM’s  Lotus 
Sametime,  Micro¬ 
soft’s  Exchange  or 

Communicator’s  Hub  IM,  he  says.  The 
Goldman  Sachs  Group,  J.P.  Morgan  Chase, 
Merrill  Lynch,  Salomon  Smith  Barney  Hold¬ 
ings  and  Sanford  C.  Bernstein  &  Co.  are 
deploying  Communicator  Hub  IM  to  their 
employees  and  offering  it  to  their  cus¬ 
tomers.  The  product  allows  user  authenti¬ 
cation  and  secure  messaging. 

Ritter  expects  to  see  consolidation 
among  IM  vendors  during  the  next  12  to 
18  months  and  prices  for  enterprise  IM 
products  to  drop  30  percent. 

-Paul  Roberts 


r'\-'  '1-0  r 

1 


?  .  'V  •  v  A 


iv  ■ 


Hidden  Holes 


CSO  SECURITY  CHECK 


Do  you  understand  the 
Freedom  of  Information  Act 
(FOIA)  exemption? 


36% 

Yes 


64% 
No 


A  majority  of  you  confessed  that  you  don’t  get 
FOIA.  See  Senior  Writer  Sarah  Scalet’s  story, 
“Everything  You  Ever  Wanted  to  Know  About 
FOIA  (But  Were  Afraid  to  Ask),”  on  Page  46. 

To  participate  in  CSO  security  check  polls, 
visit  www.csoonline.com. 


IN  THE  UNITED  STATES,  some  companies  have 
been  using  provisions  of  the  1998  Digital  Millen¬ 
nium  Copyright  Act  (DMCA)  to  keep  IT  security 
companies  from  informing  the  public  about  soft¬ 
ware  vulnerabilities. 

In  July,  Hewlett-Packard  warned  Secure  Network 
Operations  that  it  was  considering  suing  because 
one  of  their  researchers  revealed  information 
about  a  security  hole  in  HP’s  Tru64  Unix  operating 
system.  Under  the  DMCA,  the  researcher  could 

face  a  $500,000  fine  and  up  to  five  years 
in  prison. 

In  Australia,  last  year’s  Cybercrime  Act 
makes  the  unauthorized  modification  of 
computer  data  a  crime  and  outlaws  the 
possession  of  programs  that  are  used  to 
access  data. 

“Laws  about  importing  and  exporting 
data  vary  radically  from  country  to  coun¬ 
try,"  says  Bill  Hancock,  CSO  of  the  Exo¬ 
dus  service  of  Cable  &  Wireless.  “In 
general,  western  countries  have  more 
open  policies.  China  is  very  restrictive, 
and  Korea  just  passed  some  very  restric¬ 
tive  laws  with  mandatory  jail  time." 

Still,  the  laws  shouldn’t  affect  IT  secu¬ 
rity  firms  that  are  following  safe  practices 
and  working  within  their  mandate.  “These 
laws  affect  people  who  are  doing  things 
that  are  frowned  upon,”  says  Hancock. 
“Companies  that  get  proper  nondisclo¬ 
sure  agreements  and  liability  require¬ 
ments  won’t  be  affected.” 

-P.R. 


PHOTO  BY  CORBIS 


November  2002  www.csoonline.com  15 


CSO  EXCLUSIVE  SURVEY 


Home  User  Threat 


top  three  areas  of  IT  security 
investment? 


IT  HAS  BEEN  MORE  than  a  year  since  the  For  Web  server  administrators 

Code  Red  and  Nimda  worms  rocketed  with  secure  systems,  those 

around  the  globe  infecting  millions  of  infected  machines  may  come  to 

servers  running  Microsoft's  Internet  Infor-  feel  like  old  friends— distant  IP 
mation  Server  (IIS).  But  while  Microsoft  addresses  that  show  up  in  server 
quickly  issued  a  patch  to  close  the  security  access  logs  every  few  weeks  in 
hole  that  Code  Red  exploited,  hundreds  of  their  never-ending  quest  around 

unpatched  and  infected  hosts  can  still  be  the  globe  for  new  Internet  hosts 

found  on  the  public  Internet.  It’s  a  problem  to  infect, 
that  raises  a  vexing  question:  what  to  do  But,  Hypponen  points  out, 

when  those  responsible  for  maintaining  those  infected  machines  also 

Internet  hardware  shirk  their  responsibility?  pose  a  significant  risk  to  the 


93%  Technology 
57%  Policy 
39%  Staff 
37%  Education 
36%  Process 

28%  Consulting/outsourcing 
2%  Other 

SOURCE:  CSO  SURVEY,  "SECURITY  SPENDING:  HOW  MUCH  IS  ENOUGH?"  MAY  2002 


“There  are  a  significant  number  of 
servers  worldwide  that  have  no  security  at 
all,"  says  Mikko  Hypponen,  manager  of 
antivirus  research  at  Helsinki,  Finland- 
based  F-Secure. 

The  most  chronically  infected  culprits, 
according  to  Hypponen,  are  servers  belong¬ 
ing  to  home  users.  Many  of  these  individuals 
have  no  knowledge  of  how  to  manage  a 
public  Web  server  and  may  not  even  know 
they  are  hosting  a  Web  server  on  their  desk¬ 
top  or  laptop. 


entire  public  Internet.  Infected 
machines,  by  definition,  contain 
open  doors  that  malicious  hackers  can  use 
to  distribute  their  own  viruses,  or  to  launch 
denial-of-service  attacks  on  targeted 
websites. 

One  solution,  suggests  Hypponen,  may 
be  for  outsiders  to  fix  the  holes  them¬ 
selves— using  the  same  security  hole 
exploited  by  the  worm  or  virus. 

Simple  enough.  The  catch?  Cleaning  up  a 
virus  on  an  infected  machine  that  doesn’t 


belong  to  you  still  qualifies  as  an  unautho¬ 
rized  electronic  intrusion  onto  somebody 
else’s  property.  It’s  a  violation  of  both  U.S. 
and  international  law  that  can  carry  stiff 
monetary  penalties  and  even  jail  time. 

To  tackle  this  problem,  Hypponen  advo¬ 
cates  the  creation  of  an  international  body 
with  the  authority  to  intervene  and  fix 
infected  machines.  “It  would  be  like  an 
Internet  police— you’d  need  a  warrant,” 
he  says.  -P.R. 


Secure  Twice,  Open  Once 


THE  INCREASING  POPULARITY  ofvirtual  private  network 
(VPN)  technology  has  recently  exposed  a  number  of  serious  vul¬ 
nerabilities  in  the  software  used  to  connect  thousands  of  remote 
offices  and  workers  to  their  corporate  networks. 

While  the  recent  security  alerts  may  have  cor¬ 
porate  IT  managers  taking  a  hard  look  at  their 
VPN  hardware  and  software,  one  promi¬ 
nent  corporate  security  expert  says  that  it 
is  policies,  not  patches,  that  are  needed  to 
shore  up  VPN. 

“It's  an  education  problem,”  says  Russ 
Cooper,  surgeon  general  of  TruSecure. 
“You  have  VPNs  establishing  bridges 
that  result  in  a  totally  untrustworthy  net¬ 
work  being  connected  to  an  otherwise 
well-managed  corporate  network.” 

What  is  needed,  according  to  Cooper, 
are  improved  corporate  IT  policies  that 
crack  down  on  sloppy  practices,  like 
allowing  employees  to  alter  the  configu¬ 


ration  of  company-supplied  hardware  in  order  to  facilitate  file 
sharing  and  Web  browsing  at  home. 

Or,  Cooper  suggests,  IT  managers  can  stop  treating  VPN  clients 
as  if  they  are  part  of  the  internal  company  network  and  start  treat¬ 
ing  them  like  what  they  are— untrusted  external  hosts  attempting 
to  access  an  intranet. 

“You  can  still  allow  employees  to  VPN  through  the  corporate 
gateway,  but  make  them  pass  through  the  firewall,  antivirus  and 
content  filtering  first,”  says  Cooper. 

And,  while  Cooper  doesn’t  see  any  of  the  recently  publicized 
VPN  software  vulnerabilities  being  used  in  large,  distributed 
attacks,  that  doesn’t  remove  the  risk  of  the  vulnerabilities  being 
exploited  in  potentially  devastating  one-on-one  attacks  from  dis¬ 
gruntled  employees  or  motivated  groups  of  individuals. 

Regardless  of  whether  their  own  network  has  been  attacked, 
however,  Cooper  sees  benefits  for  corporate  IT  managers  in  keep¬ 
ing  on  top  of  their  VPN  technology.  “Given  the  value  that  corporate 
IT  managers  place  on  the  integrity  of  their  VPN  connections,  they 
should  deem  them  as  extremely  important  and  patch  them  right 
away  when  patches  become  available,”  he  says.  -P.R. 


16  www.csoonline.com  November  2002 


Security 

Jonathan  Franklin 

Trial  lawyer 

Jonathan  Franklin,  P.A.,  a  boutique  law  firm  based  in 
Miami,  Florida,  represents  corporate  clients  around  the 
country.  The  firm  specializes  in  product  liability  and  tort 
law. 

"There  were  several  factors  that  went  into  our  decision  to 
choose  CyberGuard.  Chief  among  these  was  its  proven 
secure  track  record.  Independent  data,  reports  and  evaluations 
also  revealed  the  product's  overall  excellence.  And  we  were 
particularly  gripped  by  its  hardened  OS,  powerful  VPN  and 
obvious  rock  solid  security. 

'The  Internet,  with  its  continuous  connections,  acts  as  a 
doorway  directly  into  your  office.  It  offers  a  way  out  to  the  world 
and,  more  importantly,  a  way  in  for  the  world.  At  our  firm,  we 
maintain  and  store  confidential  and  privileged  materials,  as  well 
as  trade  secret  information.  As  a  result,  we  could  not  risk 
choosing  a  product  with  any  vulnerability  when  we  undertook 
steps  to  secure  our  office  and  valuable  information  Frankly, 
knowledge  of  any  vulnerability  alone  is  enough  to  stick  you  with 
legal  liability. 

"Faced  with  the  prospect  of  having  to  spend  $10,000  to  $12,000 
to  get  the  quality  and  performance  in  this  caliber  of  a  product, 
you  also  need  to  weigh  the  potential  legal  liability.  In  our 
opinion,  one  breach  could  expose  any  company  to  millions  in 
liability.  And  that  was  not  a  risk  we  wanted  to  take." 

CyberGuard's  security  solutions  are  found  in  Global  2000 
companies  and  governments  worldwide.  CyberGuard's  award¬ 
winning,  premium  firewall/VPN  appliances  maintain  complete 
separation  of  network  traffic  from  system  components. 


Common 
'  \  Criteria 

EAL4+ 
CERTIFIED 


"■Vi-*"® 


CYBERGUARD 


Firewall/VPN  Appliances 


For  white  papers  on  Rock  Solid  Security  go  to: 
www.cyberguard.com/ROCKSOLID/home.cfm 
Phone:  954.958.3878  •  e-mail:  info@cyberguard.com 


WORLDWIDE 


DEFEND  YOUR  DOMAIN 


Copyright  2002  CyberGuard  Corporation.  All  rights  reserved 


:  T  i. .  irfflttvv 


ry  about  unauthorized 
[  users.  But  everyone  ha$,a 
ays.  So  now  I  just  worry. 


BRUCE  BONSALL,  CISO,  MASSMUTUAL,  ON  THE  FEAR  OF  BOTH  INTERNAL  AND  EXTERNAL  HACKS 


Security  by  Design 


AFTER  9/11,  TEMPORARY  SECURITY 
features  became  part  of  the  landscape  in 
Washington,  D.C.:  Jersey  barriers,  bol¬ 
lards,  fences— you  name  it.  Suddenly  and 
without  notice,  streets  would  close  to  traf¬ 
fic  as  a  precaution.  Now,  as  temporary 
becomes  quasipermanent,  a  collective  of 
interested  groups— including  design 
experts  such  as  the  American  Society  of 
Landscape  Architects  and  economic 
groups  such  as  the  Greater  Washington 
Board  of  Trade— has  formed.  It's  calling 
itself  the  Security  Design  Coalition  (SDC), 
and  in  late  September  it  held  its  first  sym¬ 
posium.  There,  security  experts  met  with 
design  experts  and,  for  the  first  time,  talked 
about  working  together.  The  SDC  hopes  to 
use  its  own  backyard,  the  capital,  as  a 
national  model  for  public  design  that  pro¬ 
vides  security  while  maintaining  both  func¬ 
tional  and  aesthetic  virtues.  CSO  spoke  with 
Marcia  Argust,  former  head  of  the  SDC, 
about  the  new  group  and  about  what  she 
sees  as  the  future  of  secure  public  spaces. 

CSO:  How  was  the  first  symposium? 

Marcia  Argust:  People  at  the  conference 
were  starting  to  ask  if  all  these  security 
measures  that  they  had  kind  of  accepted  at 
first  were  actually  useful.  Are  the  barriers 
and  fences  there  to  actually  deter  terrorists 
or  to  make  the  average  Joe  feel  better?  One 
guy  in  his  presentation  was  talking  about  a 
public  place  in  Chicago  where  they  put  up 
jersey  barriers  but  didn’t  want  to  damage 
the  granite  sidewalks.  So  they  put  the  barri- 


Marcia  Argust,  former  head  of 
the  Security  Design  Coalition, 
stands  protected  by  a  jersey 
barrier— a  common  blockade 
around  the  Capitol  building. 


ers  on  polystyrene  protectors.  This  actually 
makes  the  jersey  barriers  missiles  if  some¬ 
thing  like  a  car  bomb  is  set  off. 

What  else  came  up  at  the  symposium? 

There  was  talk  about  how  we  can  better  use 
IT— with  surveillance  and  so  forth.  We 
talked  about  the  difference  between  the 
eastern  United  States  and  the  western 
United  States  in  terms  of  security  percep¬ 
tion.  [The  East  is  more  concerned.]  Overall, 
the  reaction  was  Wow.  People  who  hadn’t 
been  talking  before  in  the  design  world  and 
security  world  were  suddenly  talking  and 
learning. 

What  spurred  you  to  form  the  SDC? 

It  wasn't  just  one  thing.  All  these  measures 
were  taken,  and  we  just  didn’t  know  who 
was  making  the  decision  to  arbitrarily  close 
streets  or  put  jersey  barriers  up.  There  was 
no  process. 


Do  jersey  barriers  work? 

As  a  temporary  solution,  often  yes.  But  there 
are  too  many  here  in  D.C.,  and  often  they 
are  supposed  to  be  a  temporary  solution 
and  they  become  permanent.  We're  seeing 
more  folks  who  are  saying  this  looks  terrible, 
especially  in  our  capital  and  at  the  Capitol. 

What’s  the  future  of  secure  design? 

I  think  we  will  see  fewer  jersey  barriers, 
a  lot  more  of  the  hardened  street  furniture 
[think  immobile  cement  benches]  and 
much  more  use  of  landscape  elements. 

Take  a  corporate  campus.  They  will  start  to 
think  about  how  their  driveways  lead  to  the 
building.  Surveillance  will  be  taken  into 
account.  Terracing  as  a  deterrent.  There’s 
so  many  things  you  can  do.  ■ 

To  read  more  about  the  American  Society  of  Landscape 
Architects  and  the  Security  Design  Coalition,  visit 
www.designingforsecurity.org. 


18  www.csoonline.com  November  2002 


PHOTO  BY  DOUGLAS  WOODS 


Mi  EC  is  a  registered  trademark  arid  "  fe  fiipowered  by  Innovation"  is  .1  trademark  of  NL(  Corporation 
and/or1  bile  or  more  of  its  subsidiaries  Both  are  under  license-  2002  NEC  Solutions  t  An  rent  a),  Inc 


PSec  encryption.  Secure  VPN.  Biometric  for  the  enterprise 


Simply  better  protection  for  your  company's  vital  data. 


Security  Suite.  Only  from  NEC  Solutions  America. 


V* 


http://info.necsolutions-am.com/ss2 
888  632  8701. 


Empowered  by  Innovation 


Viruses  on  the  Other  Platforms 

IT  MIGHT  BE  MOSTLY  MICROSOFT,  but  it’s  not  just  Microsoft.  As  the  Slapper  virus  so  clearly 
demonstrated  last  month,  Linux  is  vulnerable  to  viruses  too.  And  as  Linux  grows  in  popularity  and 
general  use,  so  will  attacks  dedicated  to  dismantling  it.  Here,  according  to  Sophos  antivirus  (which 
says  that  about  1  percent  of  its  virus  library  addresses  threats  to  Unix  and  Linux)  are  the  top  three 
viruses  for  the  geekier  Unix  and  Linux  platforms.  (For  more  on  this  topic,  see  Page  59.) 


CSO’s  Cyberdraft  Suggestions 

In  September,  President  Bush’s  cybersecurity 
adviser  Richard  Clarke  and  his  second-in-command, 
Howard  Schmidt,  released  a  long-anticipated 
treatise  on  how  to  secure  cyberspace— and  then 
announced  that  despite  all  the  hoopla,  the  65-page 
strategy  was  actually  only  a  draft.  (See  "Pretty 
Please,”  Page  24,  for  details.)  At  Whitehouse.gov, 
the  duo  invited  the  public  to  offer  feedback  by 
Nov.  18,  2002  (e-mail  feedback@cybersecurity.gov). 
In  the  spirit  of  giving  them  what  they  asked  for,  we 
humbly  suggest  10  ways  to  improve  the  draft. 

1.  Sure,  we're  a  little  biased,  but  the  CSO  and  CISO 
receive  only  four  mentions  in  65  pages.  Forget 
e-mail,  if  we  had  a  nickel  for  each  mention,  we  could 
almost  call  Richard  Clarke  personally. 


UNIX/SADMIND 
Type:  Unix  worm 
Detected:  May  2001 

Internet  worm  that  propa¬ 
gates  using  a  buffer  overrun 
exploit  on  Solaris  systems. 
Actively  seeks  vulnerable 
machines  while  also  scanning 
for  Microsoft  IIS  Web  servers 
to  deface  with  an  offensive 
message  directed  at  the  U.S. 
government  and  “Poizon- 
BOx.”  Patches  are  available 
from  Microsoft’s  and  Sun's 
websites. 


LINUX/OSF-A 

Type:  Linux  executable  virus 
Detected:  March  2002 

Linux/OSF-A  will  attempt  to 
infect  200  ELF  executables  in 
the  current  working  directory 
and  the  directory  bin.  The 
virus  will  avoid  the  file  ps  or 
any  files  ending  in  ps.  If  the 
virus  is  executed  by  a  privi¬ 
leged  user,  then  it  will 
attempt  to  create  a  backdoor 
server  on  the  system,  allow¬ 
ing  the  attacker  to  gain 
remote  control  of  the  server. 


LINUX/SLAPPER-A 
Type:  Linux  worm 
Detected:  September  2002 

Exploits  a  buffer  overflow  in 
SSL-enabled  Apache  Web 
servers.  Once  active,  the 
worm  can  be  used  as  a  back 
door  to  start  up  a  range  of 
denial-of-service  attacks. 
Linux/Slapper-A  can  cus¬ 
tomize  its  attack  to  specific 
versions  of  the  Apache  Web 
server.  Sophos  recommends 
removing,  or  limiting  access 
to,  the  gcc  compiler  on  pro¬ 
duction  Web  servers  to  limit 
Slapper’s  capabilities. 


Someone  Forgot  to 
Invite  the  CSO 

W  J  JS& 

Number  of  people  on  President  Bush’s  new  National 
1  afrastructure  Advisory  Committee 


Number  of  IT  or  security  vendors  on  the  committee 

O  Number  of  CSOs  or  CIOs  on  the  committee 

SOURCE:  OFFICE  OF  THE  PRESS  SECRETARY,  SEPT.  18.  2002 


2.  More  clever  acronyms.  A.C.T.I.O.N.S.  stands  for: 
Authentication,  Configuration  management, 

Training,  Incident  response,  Organization  network, 
Network  management  and  Smart  procurement. 

For  future  reference,  A.Y.K.M.  stands  for  Are  You 
Kidding  Me? 

3.  Even  more  of  an  escape  clause  for  CFOs,  beyond 
the  disclaimer  that  all  suggestions  will  vary  in  "cost 
effectiveness." 

4.  A  less  printer-friendly  version  with  even  smaller 
type.  There’s  a  chance  that  the  current  document  is 
readable  with  an  electron  microscope. 

5.  Offer  CSOs  real  incentives  to  implement  these 
best  practices— perhaps  the  chance  to  be  a  director 
of  Homeland  Security  for  a  day? 

6.  Fewer  bold  mandates  that  will  scare  vendors, 
such  as:  “The  software  industry  should  consider 
promoting  more  secure  out-of-the-box  installation 
and  implementation  of  their  products.”  A.Y.K.M.? 

7.  And  do  they  have  to  be  so  pushy?  Clarke  and 
Schmidt  should  replace  the  74  occurrences  of  the 
phrase  “should  consider”  with  something  like, 
“should  perhaps  think  about  whether  or  not  they 
might  want  to....’’ 

8.  Instead  of  crashing  our  computers,  how  about  a 
one-page  PDF  referring  readers  to  any  list  of  best 
security  practices  released  by  Gartner,  Giga  or  Meta 
Group  in  the  past  three  years. 

9.  Clarke  and  Schmidt  should  consider  completely 
removing  the  word  regulate  from  the  final  version. 

10.  There  must  be  one  thing  left  in  the  document  to 
offend  someone.  Find  that  thing  and  take  it  out. 

-Sarah  D.  Scalet 


20  www.csoonline.com  November  2002 


Chief  Security  Officer 

Chief  Information 
Security  Officer 

Information  Risk  Manager 


Security  Architect 
Cyber  Forensic  Specialist 
Intrusion  Detection  Specialist 
Information  Security  Sales  Executive 


There’s  a  reason  why  we  are  the  leader 
in  Information  Security  Recruitment. 

That’s  all  we  do. 


LJ.Kushner 


&  Associates,  L.L.C. 


mm 


Securing  Your  Success 


. 


y  • ') ; 


Voice:  732.577.8100 

Fax:  732.577.8277 


rax:  732.5 

■ 

,  •  •;  .  y 

ituti  lil.-m.lii 


‘fo 


HACKING 
DR  PROFIT 


fes  is  the  game.  Play  to  win  and  other  marks  designated  © 
[istered  trademarks  of  International  Business  Machines 
5r  other  countries,  i  2002  IBM  Corporation.  All  rights  reserved. 


3]  For  more  winning  plays,  visit  ibm.com/e-business 


(e)  business  is  the  game.  Play  to  win. 


HACKING 
FOR  FAME 


INFRASTRUCTURE 


SECURITY 


PLAY 


1  ]  In  the  e-business  game,  it’s  called  the  hack  attack,  and  it’s  one  of 
the  many  unpredictable  threats  to  your  company’s  data.  The 
defense?  A  security-rich  integrated  infrastructure  that  guards  24/7. 


2]  Get  the  infrastructure  you  need  from  team  IBM  -  a  leader  in 
end-to-end  security  solutions.  With  the  help  of  global  security 
experts,  self-managing  servers,  and  Tivoli®  security  software,  you 
know  your  infrastructure  can  be  secure  on  a  Fort  Knox  scale. 


Top  Billing 


Pretty  Please 

The  government  set  out  to  create  a  national  strategy  to  secure 
cyberspace— and  it’s  still  a  work  in  progress  By  Julie  Hanson 


ICHARD  CLARKE  didn’t  want 
to  create  another  one  of  those  repoits  that 
Washington  churns  out  as  easily  as  network 
TV  cranks  out  a  new  reality  show.  But  in  try¬ 
ing  to  please  politicians,  private  industry  and 
the  public,  that  may  be  exactly  what  the  pres¬ 
ident’s  cybersecurity  adviser 
has  done.  The  57-page  draft 
document  released  in  Sep¬ 
tember,  “The  National  Strat¬ 
egy  to  Secure  Cyberspace,”  is 
less  a  strategy  and  more  a  list 
of  best  practices  and  recom¬ 
mendations.  It  aims  to  dis¬ 
please  no  one  and  therefore 
displeases  everyone. 

Vinton  Cerf,  senior  vice 
president  of  architecture  and 
technology  at  WorldCom, 
calls  the  draft  an  important 
step  but  also  an  unwieldy 
document.  “The  total  docu¬ 
ment  is  long  and  hard  to 
digest,”  says  Cerf.  “I  think  the  length  is  partly 
a  consequence  of  lack  of  time  to  try  to  boil 
things  down  to  a  broader  consensus.”  Cerf 
concludes  that  it  is  probably  premature  to  set 
specific  requirements  without  more  consen¬ 
sus  building. 

According  to  the  White  House,  President 
Bush  directed  the  development  of  a  National 
Strategy  to  Secure  Cyberspace  “to  ensure  that 
America  has  a  clear  road  map  to  protect  a 
part  of  its  infrastructure  so  essential  to  our 
way  of  life.”  In  the  past  year,  five  town  hall 
meetings  were  held  around  the  country,  and 
53  clusters  of  key  questions  were  published  to 
spark  public  debate.  But  Clarke  and  strategy 
coauthor  Howard  Schmidt,  vice  chairman  of 
the  president’s  Critical  Infrastructure  Protec¬ 
tion  Board,  claim  they  need  more  input. 

A  survey  conducted  recently  by  the  Inter¬ 


net  Security  Alliance  (ISA)  demonstrates  an 
increased  awareness  of  the  need  for  computer 
security  but  a  disconnect  between  the  amount 
of  concern  and  the  amount  of  action  taken. 
“Government  has  a  role  to  play,  and  it  should 
raise  awareness.  It  should  set  a  good  example 
following  best  practices 
instead  of  putting  the 
onus  on  the  private  sec¬ 
tor,”  says  ISA  Executive 
Director  Dave  McCurdy. 

The  Center  for  Democ¬ 
racy  and  Technology’s 
Deputy  Director  Jim 
Dempsey  also  believes  the 
strategy  might  not  have 
sufficient  incentives  for  the 
private  industry  to  act,  but 
he’s  not  sure  where  the 
pressure  to  secure  should 
come  from.  “I  think  the 
government  correctly  rec¬ 
ognized  that  they  could  not 
take  a  regulatory  approach,  but  that  leaves 
open  the  question  of  whether  we  in  society  have 
the  incentives  for  security,”  says  Dempsey. 

If  government  and  private  industry  are 
unable  to  agree  on  security  needs  and  man¬ 
dates,  the  future  security  of  cyberspace  is  in 
jeopardy,  says  RSA  Security  CEO  and  Presi¬ 
dent  Arthur  Coviello.  “I  was  a  little  disap¬ 
pointed  that  it  was  just  a  draft,  but  now 
people  can  debate,”  says  Coviello. 

The  White  House  is  planning  at  least  seven 
more  town  hall  meetings  and  is  accepting 
comments  until  Nov.  18  via  e-mail  at  feedback 
@cybersecurity.gov.  At  press  time,  no  date 
had  been  set  for  the  final  guidelines.  ■ 


To  read  the  draft  of  the  “National  Strategy  to  Secure 
Cyberspace,”  visit  www.whitehouse.gov. 


NEWS  FROM  INSIDE  THE  BELTWAY 

Four  government  agencies  (the 
Department  of  Defense,  Treasury,  the 
Agriculture  Department’s  National 
Finance  Center  and  NASA)  have  certi¬ 
fied  the  use  of  digitally  signed  docu¬ 
ments  that  use  public-key  infra¬ 
structure  technology. 

The  government  has  ordered  6,500 
cryptographic  smart  cards  from 
Datakey  to  secure  laptop  access. 
Employees  will  use  the  smart  cards, 
which  contain  unique  digital  creden¬ 
tials,  to  boot  up  laptops  or  view 
encrypted  data  on  the  hard  drive.  The 
State  Department  is  also  using  smart 
cards  to  control  access  for  up  to  105 
U.S.  government  facilities. 

The  Senate  is  reviewing  a  bill  (S.  2817) 
that  would  increase  funding  for 
National  Science  Foundation  ini¬ 
tiatives,  including  cybersecurity  and 
nanotechnology  research  as  well  as 
elementary  and  secondary  math  and 
science  education.  The  bill  would 
authorize  more  than  $37  billion  in  fund¬ 
ing  for  these  efforts  between  now  and 
FY2007. 

The  Senate  has  approved  expenditures 
of  more  than  $900  million  during  the 
next  five  years  to  bolster  the  nation’s 
cybersecurity.  Under  The  Cyber 
Security  Research  and  Develop¬ 
ment  Act  (H.R.  3394),  the  National 
Science  Foundation  will  create  new 
cybersecurity  research  centers,  under¬ 
graduate  program  grants,  community 
college  grants  and  fellowships.  Another 
aspect  of  the  bill  mandates  that  the 
National  Institute  of  Standards  and 
Technology  create  new  program  grants 
for  partnerships  between  academia  and 
industry,  and  a  new  program  to  encour¬ 
age  senior  researchers  in  other  fields  to 
work  on  computer  security.  The  bill 
must  now  obtain  final  approval  from  the 
House  of  Representatives. 


24  www.csoonline.com  November  2002 


PHOTO  LEFT  BY  AP:  TOP  BY  GETTYONE 


Systems  Integration 


Outsourcing 


we  do  every  night 


Infrastructure 


Server  Technology 


Consulting 


Imagine  it: 

Business  process  operations  outsourced  so 
efficiently,  all  parties  now  save  money  on  a  job 
that  once  consumed  their  time  and  effort.  That’s 
the  solution  Unisys  provided  Barclays,  HSBC 
and  Lloyds  TSB  for  processing  checks. 


Done: 

Unisys  worked  with  the  three  banking  rivals  to 
form  a  joint  venture  and  create  a  new  company 
to  do  their  nightly  check  processing.  The  joint 
venture  with  Unisys  now  handles  67%  of  all 
checks  in  the  U.K.  and  profits  all  parties. 
Having  collaborated  every  night,  they  open 
for  business  every  day.. .as  competitors. 


Outsourcing  with  precision  thinking, 
relentless  execution  to  drive  your  vision  forward 


Imagine  it.  Done 


©  2002  Unisys  Corporation Unisys  is  a  rtxji'sierett  fritfernalK  Ot.-Uhisfy  Coipoia'^on 


HIPAA-cratic  Oath 

Lew  Wagner,  CISO  at  the  University  of  Texas  M.D.  Anderson 
Cancer  Center,  answers  readers’  questions  about  HIPAA 


Q:  Is  it  true  that  at  some  point  the  Health  Insurance  Portability  and  Accountability 
Act  (HIPAA)  will  disallow  the  use  of  Social  Security  numbers  to  identify  individuals? 

A:  The  use  of  Social  Security  numbers,  in  general  from  a  security  perspective,  is 
bad  karma.  Too  many  identity  theft  criminals  use  that  data  as  a  jumping-off 
point  to  steal  your  personal  information,  ruin  your  credit  and  illegally  acquire 
goods,  services  and  products. 

The  identification  numbering  system  proposed  by  HIPAA  regulations  is  an 
effort  to  reach  a  more  robust  level  of  patient,  provider,  payer  identification  as 
well  as  streamline  reporting  of  such  infor¬ 
mation  across  disparate  private,  state  and 
federal  reporting  systems  and  networks. 

I  highly  recommend  that  if  your 
organization  is  using  Social  Security 
numbers,  you  should  discontinue  that  as 
soon  as  possible. 


Q:  How  are  health-care  organizations 
addressing  the  overlap  between  the  final 
privacy  regulations  and  the  proposed 
security  regulations? 

A:  There  are  many  crossover  points 
between  the  privacy  and  security  regula¬ 
tions  under  HIPAA.  Many  of  the  admin¬ 
istrative  and  policy  stipulations  under 
privacy  require  a  technological  compo¬ 
nent  to  enhance  the  compliance  requirement.  The  fact  that  the  security  regula¬ 
tions’  final  implementation  by  Health  and  Human  Services  has  been  delayed 
numerous  times  since  2000,  and  will  most  likely  be  delayed  again,  doesn’t 
change  the  fact  that  privacy  regulations  must  be  complied  with. 

A  close  coordinated  effort  needs  to  be  accomplished  between  security  and 
privacy  groups  within  health-care  organizations  so  that  security  efforts  don’t 
waste  money  or  result  in  stovepiped  duplicate  efforts. 


party  to  abide  by  patient  health-care  information  pro¬ 
tection  requirements. 

If  the  third  party  is  untrusted,  I  question  why  you 
would  give  it  information  in  the  first  place,  but  many 
legacy  holes  of  this  type  exist.  I  have  often  heard  health¬ 
care  admins  or  nontechnical  folks  blindly  accept  a  ven¬ 
dor  statement  like,  “You  have  to  do  it  our  way.”  That 
can’t  be  further  from  the  truth.  The  organization  I  work 
at  has  compiled  an  extensive  set  of  security  requirements 
that  we  provide  to  prospective  and  current  vendors. 

If  a  senior  executive  or  physician  has  a  personal  stake 
in  a  third-party  relationship,  there  can  be  incredible 
pressures  to  cave  in  to  a  less  secure  solution.  I  have  found 
that  talking  with  the  parties,  educating  them  on  how  the 
same  business  can  be  transacted  in  a  more  secure  fash¬ 
ion  and  providing  such  solutions  is  a  win-win  situation. 

If  your  bosses  still  want  to  have  an  insecure  relation¬ 
ship  with  a  third  party,  obtain  a  letter  signed  by  them 
saying  they  accept  the  risks  and  acknowledge  that  they 
are  not  complying  with  HIPAA. 

Q:  One  of  the  provisions  of  the  privacy  por¬ 
tion  states  that  protected  health  informa¬ 
tion  (PHI)  cannot  be  disclosed  to  anyone 
other  than  the  individual  to  whom  it  per¬ 
tains  without  specific  authorization.  Are 
health  plans  following  this  interpretation 
and  getting  authorization  for  spouses  and 
family  members?  Do  you  expect  any  addi¬ 
tional  changes  to  the  privacy  regulations 
that  will  clarify  or  simplify  this  issue? 

A:  Many  health-care  organizations  are 
interpreting  such  privacy  requirements  to 
extend  to  family  members,  including 
spouses.  Even  to  the  point  of  not  leaving 
detailed  information  on  the  patient’s  home 
phone  messaging  service.  Unless  the 
patient  specifically  authorizes  spouses  or  family  mem¬ 
bers  to  be  kept  informed  or  to  have  access  to  such  PHI, 
they  should  be  excluded. 

A  significant  revision  to  the  privacy  rules  has  been 
published  this  year.  It  states  that  within  your  institution, 
access  to  PHI  can  be  granted  to  all  institutional  clini¬ 
cians,  staff  and  so  on  without  the  patient’s  consent  in 
order  to  ensure  quality  medical  care  for  that  patient.  ■ 


Q:  In  an  environment  that  manages  medical  records,  can  we  maintain  HIPAA  com¬ 
pliance  when  we  are  forced  to  grant  rights  to  an  untrusted  third  party  by  giving  it 
access  to  our  system? 

No,  you  will  be  in  noncompliance.  However,  by  employing  administrative 
an<  I'chnological  procedures,  you  can  sequester  such  information  from  third 
pai  '  t  hat  don’t  need  to  know  versus  those  that  provide  an  application  service 
provider  ervice  (like  electronic  medical  records).  Contractual  and  service  level 
agreements  can  be  created  to  protect  your  institution  by  obligating  the  third 


Lew  Wagner  is  the  CISO  at  the  University  of  Texas  M.D.  Anderson  Cancer 
Center. 

SHave  a  security  topic  to  suggest  or  an  expert  you’d  like  to 
hear  from?  Send  your  thoughts  to  Assistant  Managing 
Editor  Kathleen  Carr  at  kcarr  icxo.com.  To  read  more  on 
HIPAA,  go  to  www.csoonline.com/counsel. 


26  www  csoonline.com  November  2002 


PHOTO  BY  TOM  CALLINS 


©  2002  ADT  Security  Services,  (nc. 


■S'  ■ 


CONFIDENCE 


lam  ^ 


Workplace  Violence 


Information  Loss 


Employee  Backgrounds 


Surveillance 


■ 


Access  Control 


Risk  Liability 


Safety 


Theft 


Bio-Terrorism 


Unspecified  Threats 


ARE  YOU  STILL  RELYING  ON  TRADITIONAL  SECURITY? 

The  world  has  changed.  As  security  professionals,  we  now  have  to  be  prepared  for  anything,  including  the  unspecified  and  the 
unthinkable.  It’s  an  enormous  responsibility,  but  one  that  doesn’t  have  to  be  yours  alone.  We  understand  how  your  job  is  more 
important  now  than  ever  before,  and  we  want  to  help. 'Let  us  get  to  know  your  business  and  your  concerns.  Then  we’ll  draw  from 
the  broadest  range  of  products  and  experience  available,  including  the  latest  in  digital  video  and  access  control.  All  to  create  a  solution 
that  meets  the  unique  security  needs  of  your  company.  Getting  in  touch  is  easy.  Just  call  us  at  1-  877-258-6424  or  visit  adt.com. 


And  when  everybody  looks  to  you  for  peace  of  mind,  look  to  us.  ADT.  Always  there. 


on 


Charting  Ethical 
Waters 

Ethics-based  security  policies  will  prevent  you  from  being 
submarined  by  privacy  problems  By  David  H.  Holtzman 


S  THE  CAPTAIN  OF  SECURITY,  the  toughest  decisions  that  you  make 
are  those  that  affect  other  people.  The  most  problematic  decisions  lie  in  the 
murky  and  turbulent  waters  of  privacy.  Privacy  considerations  will  weigh  you  down 
with  requests  for  employee  or  customer  information  thrown  by  business  units.  The 
burden  comes  from  the  knowledge  that  each  time  you  make  one  of  these  ad  hoc 
decisions,  you  are  encouraging  activities  that  might  sink  the  company  some  day. 

The  best  way  to  avoid  that  is  to  have  a  culture 
that  empowers  employees  at  every  level  to  be 
the  first  line  of  defense  on  privacy  issues.  The 
staff  is  likelier  to  have  an  instinctive  under¬ 
standing  of  what’s  acceptable  if  business  prac¬ 
tices  are  aligned  with  normal  expectations  of 
ethical  behavior.  Security  policies  based  on 
ethics  are  also  stronger  than  shortsighted 
guidelines  designed  to  profit  from  legal  ambi¬ 
guities.  They’re  less  likely  to  spring  a  leak  when 
they’re  jabbed,  and  there  are  lots  of  ways  to  get 
poked  if  you’re  running  security  in  today’s  busi¬ 
ness  climate. 

How  would  you  react  to  the  following 
scenarios? 

■  A  customer  service  manager  tells  you  that 
she  thinks  that  an  employee  is  hunting  for 
another  job,  and  she  wants  you  to  help  her  look 
through  his  e-mail. 

■  A  junior  marketing  manager  tells  you  that 
he  has  made  a  deal  to  provide  customer  infor¬ 
mation  to  a  strategic  partner,  and  he  wants  you 
to  pull  the  necessary  information  and  give  it  to 
him  on  a  CD. 

■  You  install  a  video  surveillance  system  outside  your  building  and  realize  that 
employees  are  fooling  around  in  the  parking  lot  after  hours. 

I’ve  had  to  deal  with  each  of  those  situations  at  different  points  in  my  career, 
and  I  did  what  I  suspect  most  of  you  would  do— I  asked  the  company  lawyers.  Let 
me  save  you  the  trouble  and  tell  you  that  you  won’t  get  any  real  help  from  them 
on  most  privacy  issues  (caveat:  I’m  not  a  lawyer,  I  don’t  even  play  one  on  TV).  It 
turns  out  that  legally,  you  can  pretty  much  do  what  you  want.  There’s  no  law  pro¬ 
tecting  employee  e-mail  or  most  kinds  of  customer  information,  and  video  sur¬ 


veillance  is  all  too  quickly  becoming  a  fact  of  life.  Look  for 
guidance  elsewhere. 

So  if  it’s  not  illegal  you  can  do  it,  right? 

That  attitude  has  gotten  several  companies  into  trou¬ 
ble  recently.  Class-action  lawsuits  and  government  liti¬ 
gation  can  take  root  even  in  a  legal  wasteland.  There  have 
been  numerous  cases  of  privacy-related  settlements  nego¬ 
tiated  by  the  Federal  Trade  Commission  on  behalf  of  sev¬ 
eral  states. 

So  far,  there  haven’t  been  any  big  awards,  but  that  day 
is  coming  soon.  The  financial  rewards  reaped  by  states 
from  tobacco  lawsuits  have  given  them  a  taste  for  taking 
on  media-ready  consumer  issues,  such  as  the  recent  trend 
toward  holding  fast-food  chains  accountable  for  unhealthy 
and  overweight  clientele. 

Security  officers  should  be  privacy  champions  because 
it  makes  their  job  easier.  CSOs  are  to  security  and  privacy 
issues  what  CFOs  are  to  financial  audits.  The  security 
department  provides  insurance  to  protect  the  bottom  line 
by  anticipating  and  averting  disruptions  to  the  business; 
the  better  the  expertise  at  foretelling,  the  cheaper  the  price 

of  forestalling. 

Creating  a  privacy-conscious 
culture  that  encourages  ethical 
considerations  and  discourages 
dubious  database  dealings  is  not 
only  an  excellent  precaution,  it 
helps  prevent  customer  problems 
from  escalating  into  front-page 
news  stories.  Crafting  a  tough  secu¬ 
rity  plan  to  match  that  culture  will 
make  it  difficult  for  employees  to 
act  outside  those  approved  guide¬ 
lines  and  will  preserve  manage¬ 
ment’s  options.  It’s  always  easier 
to  make  one-time  exceptions  to  a 
tough  policy  than  it  is  to  shoehorn 
rigorous  security  process  into  a 
cowboy  culture  in  response  to  a 
security  catastrophe. 

Treating  sensitive  corporate 
information  as  a  valuable  resource 
is  good  management.  Building  a 
security  environment  based  on  eth- 
.  *  icai  principles  that  employees  can 

understand  and  implement  is  great  management.  Smart 
executives  want  smooth  sailing  especially  when  they’re  in 
uncharted  waters.  ■ 

David  H.  Holtzman,  former  CTO  of  Network  Solutions,  also  worked  as  a 
cryptographic  analyst  with  the  U.S.  Navy  and  an  intelligence  analyst  at 
DEFSMAC.  He  can  be  reached  at  david@globalpov.com.  Send  feedback  and 
column  ideas  to  Senior  Editor  Daintry  Duffy  at  dduffy  @cxo.com. 


28  www.csoonline.com  November  2002 


ILLUSTRATION  BY  GARY  TAXALI 


watch 

By  Lancope 


Lancope 


r-1 


r? 


M  S35  WmLM 


A-  if  i 


ir 


j-±j 


Advanced  Threat  Management 

StealthWatch™  by  Lancope  does  more  than  use  signatures  to  detect  network  attacks. 

As  the  most  versatile  IDS  available,  StealthWatch  is  a  behavior-based  Intrusion  Detection  System  that  prevents 
internal  misuse  on  your  network  and  provides  bi-directional  protection  against  known,  unknown,  mutated, 
encrypted  and  DoS  attacks.  More  than  an  IDS,  StealthWatch  gives  an  unparalleled  view  of  network  activity  for 

optimal  bandwidth  and  policy  management. 

•  ;•  '  ■  ...  ■  . 

y  ■  y  : ''  '•  >  ’ 

Request  your  free  White  Paper  Security  Benefits  of  Behavior-Based  IDS  at  http://vyww.lancope.com. 

StealthWatch  and  Lancope  aie  Registered  Trademarks  of  Lancope,  Inc. 


I 


» 


Cl O  Robert  Pickton 

'  •  '  '  .  •  ’  if  t“  ..  •  i 

and  security  executive 
Dan  Meacham  are  finding 
the  right  prescription 
for  security  at  Baylor 
Health  Care  Systems 

BY  SIMONE  KAPLAN 


IN  THIS  STORY:  The  challenge  of  accom¬ 
plishing  security  goals  without  authority  How 
to  bake  security  costs  directly  into  IT  projects 
Pros  and  cons  of  operating  without  a 
dedicated  infosecurity  staff 


The  CSO  Role 


S  WE  NOTED  IN  OUR  PREMIERE  ISSUE 
(see  “Let’s  Talk  ”  September  2002),  building  solid 
relationships  with  other  key  executives  can  be  a 
make-or-break  business  for  CSOs.  This  month 
we  take  an  in-depth  look  at  one  such  alliance 
between  a  CSO  and  an  executive  counter¬ 
part.  Our  goal  is  to  explore  the  personal 
interactions,  political  realities  and  thought 
processes  that  help  the  practice  of  security  succeed. 

From  time  to  time  in  future  issues,  we  will  look  across  the  org  chart 
to  profile  CSO  relationships  with  other  important  executive  partners 
(including  the  CEO,  the  CFO,  and  the  vice  presidents  of  marketing, 
sales  and  manufacturing).  But  we  thought  it  made  sense  to  begin 
this  series  with  what,  in  many  enterprises,  is  the  most  crucial  inter¬ 
action  of  all:  the  relationship  between  the  CSO  and  the  CIO.  We 
turned  to  Dallas-based  Baylor  Health  Care  Systems,  one  of  the 


nation’s  leading  health-care  institutions. 
Robert  Pickton  is  senior  vice  president  and 
CIO,  and  Dan  Meacham  is  the  security  infor¬ 
mation  officer.  Pickton,  who’s  been  with  Bay¬ 
lor  since  1995,  is  a  17-year  veteran  of 
health-care  IT.  Meacham  reports  to  Pickton 
and  is  a  former  security  consultant  with 
KPMG. 

We  asked  them  about  the  major  issues  that 
define  their  relationship.  Though  the  two 
clearly  get  along  well  and  share  a  strong  com¬ 
mitment  to  security  excellence,  their  conver¬ 
sation  also  reveals  the  sort  of  tension  we  suspect 
will  surface  within  many  organizations— espe¬ 
cially  at  this  relatively  early  moment  in  the  evo¬ 
lution  of  security  as  a  strategic  enterprise 
activity.  In  a  wide-ranging  conversation  with 
Staff  Writer  Simone  Kaplan,  Pickton  and 
Meacham  discussed  security  architecture, 
spending  issues  and  the  dynamics  of  their  rela¬ 
tionship,  among  other  things. 

CSO:  How  does  security  fit  into  the  overall  IT 
structure  at  Baylor? 

Robert  Pickton:  Basically,  it’s  one  of  several 
direct  reports  in  my  organization.  At  the  exec¬ 
utive  level,  I  have  the  vice  presidents  of  techno- 
log)',  applications  support  and  data  manage¬ 
ment  wrho  report  to  me.  Then  I  have  direct 


reports  for  customer  service  support,  security, 
financial  support,  communications  and  admin¬ 
istration.  We  have  a  lot  of  different  depart¬ 
ments  here,  and  my  direct  reports  oversee 
operations  in  each  department  so  it’s  a  little 
more  centralized. 

Dan  Meacham:  I  report  to  Bob,  and  I  oversee 
security  in  each  of  Baylor’s  departments.  That 
means  I  work  with  Bob  to 
design  our  security  architec¬ 
ture.  Then  I  take  the  security 
requirements  to  each  of  the 
departments  and  help  them 
understand  what  needs  to  be 
done,  get  their  buy-in  and 
make  sure  the  employees 
comply  with  the  policy. 

Pickton:  Until  Dan  came  on 
board  two  years  ago,  I  kept 
running  up  against  people  in 
each  department  who  wanted 
to  take  separate,  unique 
approaches  to  internal  secu¬ 
rity.  Everyone  had  their  own 
version  of  what  our  security 
architecture  needed  to  look 
like,  and  it  was  just  too  disor¬ 
ganized  and  inefficient  to 
oversee  so  many  varied  poli¬ 


cies.  So  I  created  the  position  of  security  infor¬ 
mation  officer  in  order  to  have  one  person  who 
oversees  and  defines  a  single  security  strategy, 
policy  and  analysis. 

What’s  your  day-to-day  working  relationship 
like? 

Pickton:  Dan  and  I  have  a  weekly  meeting 
that  lasts  about  an  hour.  Dan  prepares  an 
agenda  and  a  write-up  of  the  topics  he  wants 
to  discuss  with  me.  In  the  meetings,  we  always 
discuss  our  enterprise  security  architecture 
and  how  the  various  departments  are  han¬ 
dling  their  security  responsibilities.  We  talk 
about  HIPAA  [the  Health  Insurance  Porta¬ 
bility  and  Accountability  Act]  a  lot  and  also 
about  business  continuity,  disaster  recovery 
and  follow  up  on  action  items  from  our  last 
meeting.  I  try  to  leave  some  time  at  the  end  for 
us  to  do  some  creative  strategic  thinking. 

When  it  comes  to  talking  to  the  board,  I  do 
it.  We  have  several  boards,  and  I  usually  end 
up  reporting  to  as  many  as  13  meetings  each 
fiscal  year.  When  I  do  my  six-month  IT  up¬ 
date,  I  include  progress  on  security  and  other 
key  projects,  but  it’s  usually  just  so  they  know 
we  continue  to  invest  in  security  and  that  we 
continue  to  make  progress  toward  our  vision 
of  the  security  architecture. 

So  how  are  security  resources  meted  out? 
Pickton:  In  terms  of  resources,  I  intentionally 
keep  Dan  without  a  staff.  I 
want  security  projects  to  be 
owned  by  the  departments, 
and  I  don’t  want  competing 
strategy.  So  we  have  one 
security  policy,  but  how  the 
departments  adopt  it  and 
interpret  it  for  their  particu¬ 
lar  applications  varies  and  is 
overseen  by  the  department 
heads.  I  don’t  want  them 
throwing  the  responsibility 
to  Dan  to  do  it  all.  There  have 
been  times  when  he’s  needed 
some  contract  support,  but 
overall  he  monitors  the 
departments’  progress  on 
projects,  and  the  best  way  for 
him  to  do  that  is  to  keep  him 
lean  and  mean.  That  way  he 
can  influence  and  educate 


IT  at  Baylor  Health 
Care  Systems 

15,000 

users  in  120  locations 
8,000 

desktop  computers  and 

29,706 

network  nodes 

492 

BlackBerrys  in  use 

560,000,000 

e-mails  scanned  and 
processed  per  year 

185 

people  in  the  IT  department 
companywide 


32  www.csoonline.com  November  2002 


WE  HAVE 
PATIENT  INFOR 
MATION,  AND 

hip  ■  ■ 


rather  than  keep  order  and  control,  though 
we  don’t  get  hung  up  on  roles  and  titles  as 
much  as  we  do  on  getting  the  work  done. 
Meacham:  Bob  and  I  rarely  have  disagreements, 
but  we  do  have  a  difference  of  opinion  when  it 
comes  to  resourcing.  There  have  definitely  been 
projects  where  a  team  would  have  been  a  big 
help.  I’d  love  to  have  a  staff,  but  given  our  struc¬ 
ture  that  may  not  be  appropriate.  Bob  wants  all 
the  accountability  to  lie  with  the  departments. 
That’s  a  challenge  because  here  I  come  saying, 
We  have  to  be  secure,  and  here’s  how  we’re 
going  to  do  it,  but  it’s  coming  out  of  your  budget 
and  your  resources.  That  makes  follow-up  and 
compliance  very  difficult. 

How  did  you  two  come  up  with  Baylor’s  secu¬ 
rity  architecture  and  strategy? 


Meacham:  Well,  when  it  comes  to  process  I 
drew  a  lot  on  my  experiences  at  KPMG,  where 
I  helped  other  companies  organize  their  secu¬ 
rity  structures.  Our  infrastructure  is  built 
around  contingency  planning,  incident  re¬ 
sponse,  access  control  and  systems  standards. 
Every  machine  and  system  that  any  depart¬ 
ment  or  doctor  at  Baylor  purchases  has  to  meet 
our  security  standards  before  it  can  be  added 
to  the  network.  We  also  look  very  closely  at 
gap  analysis— and  by  that  I  mean  the  three 
traditional  gaps  between  knowledge,  technol¬ 
ogy  and  compliance.  We  want  business  to  drive 
the  technology',  not  the  other  way  around.  We 
measure  best  practices,  and  they  drive  our 
technology'  decisions. 

When  I  came  to  Bay'lor,  Bob  and  I  created  a 
security-capabilities  model  that  looks  at  cause 


and  effect  from  the  points  of  view  of  leader¬ 
ship,  policies,  management  and  information 
assets.  We  do  quarterly  risk  assessments.  As  a 
health-care  entity',  we  pay  close  attention  to 
privacy  and  confidentiality,  information  integ¬ 
rity  and  availability,  and  accountability'  of  sys¬ 
tems,  data  and  information.  That’s  our 
infrastructure’s  backbone. 

Pickton:  Security  isn’t  static— it’s  a  process,  and 
you  have  to  establish  a  path  by  which  you  will 
build  any  program.  You  have  to  measure  needs 
and  risks  constantly  as  new  technologies  come 
out.  Three  years  ago,  we  never  would  have  dis¬ 
cussed  wireless  security— it  just  wasn’t  an 
issue— but  today  we  have  to  know  exactly  how 
it  works  because  we  deploy  nearly  500  Black- 
Berrys  in  our  hospitals.  We  constantly  test  our 
strategies  and  challenge  our  assumptions. 


November  2002  www.csoonline.com  33 


v 


As  the  world  leader  in  Internet  security,  Check  Point’s™ 
integrated  security  solutions  Connect,  Protect,  Manage 
and  Accelerate  the  network  security  of  more  than  100 
million  users  worldwide. 


CONNECT.  Leading  global  companies  rely  on  Check  Point  VPN  solutions  to 
connect  employees  and  offices  everywhere.  Regardless  of  where  business 
happens  — even  in  the  most  remote  locations  — people  and  companies  are 
securely  connected  to  their  critical  information. 


PROTECT.  Check  Point’s  fail-safe  firewall  infrastructure  provides  the  highest 
level  of  security  for  every  network  from  the  edge  to  the  core.  Our  authentication, 
access  control,  and  content  security  features  have  become  the  trusted  global 
industry  standard. 


Check  Point’s  revolutionary  Security  Management  Architecture 
(SMART™)  lets  you  instantly  deploy  and  distribute  security  policies  regardless  of 
user  location.  All  aspects  of  network  security  can  be  defined  and  managed  from 
a  single  console  dramatically  reducing  your  total  cost  of  ownership. 


ACCELERATE.  Check  Point’s  VPN  and  firewall  solutions  deliver  wire-speed 
performance  up  to  three  times  faster  than  other  network  solutions.  Now  you  can 
maintain  absolute  network  security  without  sacrificing  the  performance  of 
business-critical  applications  or  bogging  down  your  network. 

Checkpoint" 


Find  out  the  latest  in  Internet  security  by  downloading 
our  white  paper  “Building  Secure  Wireless  LANs”  at 
www.checkpoint.com/wireless/cso  or  call  (866)488-6686.  We  Secure  the  internet. 


©2002  Check  Point  Software  Technologies  Ltd.  All  rights  reserved. 


The  CSO  Role 


What's  your  process  for  determining  spend¬ 
ing  levels  on  security? 

Pickton:  Security  isn’t  a  separate  budget  item, 
and  I  don’t  think  about  it  as  a  bucket  unto 
itself.  Ever}'  nickel  we  invest  in  hardware,  soft¬ 
ware  or  our  general  technology  direction 
includes  the  cost  of  compliance  with  our  secu¬ 
rity  architecture.  Ever}’  dollar  we  spend  con¬ 
tributes  to  furthering  the  security  architecture. 
We  do  have  a  security/HIPAA/contingency 
planning  amount  that  I  target  for  our  five-year 
budget  horizon,  but  I  couldn’t  break  it  down 
into  a  percentage  because  I’ve  never  thought 
about  it  that  way. 

Meacham:  Let  me  give  an  example.  The  money 
that  we  might  allocate  for  a  new  system  in¬ 
cludes  what  it  would  cost  for  that  system  to  be 
brought  up  to  our  security  standards.  The 
departments  that  handle  the  actual  applica¬ 
tions  are  the  ones  to  break  their  budget  down 
into  intrusion  detection,  antispam  filters,  anti¬ 
virus  software  and  so  on.  For  us,  that’s  infra¬ 
structure,  not  security.  We  don’t  say  20  percent 
of  the  IT  budget  is  dedicated  to  security.  We  say, 
Here  are  the  costs  of  a  project,  and  security  is 
a  requirement  of  the  deliverables. 

What  are  some  of  the  biggest  challenges 
you’re  facing  right  now? 

Meacham:  Dealing  with  vendors  and  ASPs 
[application  service  providers].  As  a  health¬ 
care  entity,  we  have  very  particular  needs,  and 
most  vendors  with  over-the-counter  software 
can’t  give  us  what  we  need.  They  say  they  don’t 
have  to  comply  with  HIPAA  because  they’re 
not  a  health-care  provider  or  a  health-care  sys¬ 
tem;  they  feel  they  can  be  lax  on  the  security 
end  of  things.  When  we  request  particular 
security  customizations,  the  vendors  say  they 
don’t  have  to  do  what  we  want  because  they 
aren’t  subject  to  HIPAA.  But  we  are,  and  we 
need  to  be  secure!  Even  if  they  wanted  to  make 
the  changes,  a  lot  of  vendors  don’t  have  the 
resources  to  make  the  customizations,  and 
then  we  have  to  look  at  other  ways  to  handle 
security  for  that  application,  like  using  another 
product  for  encryption  or  auditing. 

With  ASPs,  the  challenge  lies  in  their  lack  of 
focus  on  contingency  and  reliability.  They’re 
great  about  confidentiality,  but  we  also  have  to 
make  sure  our  information  is  accurate  and 
always  available.  All  the  ASPs  rely  heavily  on 
the  Internet,  which  isn’t  very'  reliable.  Nimda 


“I  THINK  WE’LL  SEE 
MORE CSOs AT  THE 
CORPORATE  LEVEL, 
INCORPORATING 
COMPLIANCE  AND 
RISK  MANAGEMENT.” 

-DAN  MEACHAM 

caused  us  to  lose  our  connection  for  almost  a 
day.  In  some  cases  we’ve  had  to  force  them  to 
install  dial-out  lines  and  batch  processing  for 
reliability.  The  ASPs  told  us  we  were  the  only 
company  to  request  that,  and  we  were  like, 
“And?  That’s  an  issue?”  I  mean,  if  we  were  a 
bank,  would  it  be  any  different?  We  have 
patient  information,  and  we  have  to  respect 
that  like  a  bank  respects  your  money. 

Our  RFPs  are  modeled  on  the  National 
Institute  of  Standards  and  Technology  special 
publication  800-18,  which  is  a  systems  security 
guideline  published  in  1998.  It  requires  the 
recipient  to  document  all  security  controls  in 
the  purview  of  their  product.  By  putting  that  in 
the  REP,  we  can  precertify  potential  systems  to 
see  if  they  meet  our  needs. 

Baylor  has  a  chief  medical  information  officer 
(CMIO).  How  do  you  work  with  him,  and  how 
does  he  fit  into  the  security  picture?  Do  you 
interact  with  any  physical  security  authority? 
Meacham:  Our  CMIO  works  more  with  the 
physicians  and  medical  devices  in  the  labs 
that  are  affected  by  HIPAA.  Donna  Powers  is 
our  acting  privacy  and  HIPAA  officer.  She’s  a 
senior  vice  president  at  Baylor  Medical  Cen¬ 
ter.  We  meet  as  needed  but  at  least  once  a 
month  and  sometimes  more  often  to  discuss 
security  around  HIPAA.  We  get  into  privacy- 
related  issues  when  we  need  to. 

On  the  physical  side,  I  interact  regularly 
with  the  Baylor  department  of  public  safety. 
We’re  involved  with  them  in  Infragard  (see 


“Safety  in  Numbers,”  Page  52),  and  the  police 
chief  is  in  charge  of  response  for  our  chapter. 
I  meet  with  them  almost  every  other  week. 
They  report  to  the  police  chief,  not  to  me,  but 
we  have  a  partnership.  So  if  they  have  infosec 
questions,  they  come  to  me,  or  I  go  to  them. 
If  something  happens  on  the  computer  that 
we  need  to  investigate  or  an  incident  occurs 
that  we  see  as  threatening,  we  bring  in  the 
police.  They  have  the  established  relationship 
with  local  and  federal  law  enforcement.  They’re 
trained  to  do  information  forensics,  so  if  a  sit¬ 
uation  were  to  arise,  I’d  rather  have  them  han¬ 
dle  it  from  a  liability  standpoint  than  someone 
with  whom  I’m  not  familiar. 

Security  seems  tightly  connected  to  IT  at 
Baylor.  Do  you  see  it  moving  out  on  its  own 
anytime  soon? 

Pickton:  No,  not  with  us.  So  much  of  what  we 
do  in  health  care  is  about  systems  and  data 
collection  that  it  really  makes  more  sense  for 
security  to  be  within  the  IT  organization.  I 
need  security  right  where  it  is.  I  created  the 
security  job  description.  Dan  is  my  direct 
report.  I  went  looking  for  the  role. 

Meacham:  Moving  security  away  from  IT 
wouldn’t  make  a  lot  of  sense  at  Baylor.  What 
I  do  is  really  in  line  with  IT.  But  I  do  think  the 
security  executive  position  is  evolving  at  other 
corporations.  When  I  was  at  KPMG,  we  were 
concerned  about  where  security  and  internal 
audit  interacted  and  whether  they  should 
report  to  the  same  person.  But  health  care  is 
a  totally  different  beast,  and  other  health-care 
organizations  are  positioning  security  like  we 
are.  In  this  industry,  security  is  perceived  as 
law  enforcement,  not  information  security,  so 
for  a  CSO  to  take  hold  in  this  industry,  I  think 
he’d  really  need  to  have  a  foothold  in  both 
physical  and  IT  security.  In  the  next  five  to  12 
years,  I  think  we’ll  see  more  CSO  positions  at 
the  corporate  level,  and  they  may  incorporate 
compliance  and  risk  management.  ■ 

Send  feedback  to  Staff  Writer  Simone  Kaplan  at 
skaplanacxo.com. 


When  you  talk  security  to  your  business  col¬ 
leagues.  do  they  listen?  Senior  Writer  Scott 
Berinato  says  security  is  everyone’s  problem. 
Read  his  Alarmed  column.  MAKING  IT  PER¬ 
SONAL.  Go  to  www.csoonline.com/printlinks. 


36  www.csoonline.com  November  2002 


In  the  Midst  of  the  Telecom  Storm 
SAWIS  Customers  Know  the 


Hs 


V  ;'V> 


S’? 


The  Network  that  Powers  Wall  Street Sl 


1-800-SAVVIS- 1 
www.savvis.  net/testimonials 


With  all  the  turmoil  in  the  telecom  industry  today,  it’s  easy  to  feel  like 
you’ve  been  caught  in  the  “perfect  storm.”  You  worry  that  choosing 
the  wrong  network  provider  could  leave  your  company  vulnerable. 
Conversely,  you  worry  that  delaying  decision-making  could  leave  you 
behind  the  curve. 

SAWIS  customers  tell  us  they’re  on  course.  Their  IP  VPN  is  getting 
the  job  done  for  voice  over  IP  (VoIP),  global  video  conferencing,  ERP, 
and  more. 

From  Wall  Street  to  Main  Street,  SAWIS  is  the  financially  sound 
choice  for  people  who  demand  a  proactive  managed  IP  service  provider. 
SAWIS  has  been  delivering  high  performance  IP  VPN  and  managed 
hosting  services  to  financial  institutions,  professional  services  firms, 
and  retail  enterprises  for  years.  And,  SAVVIS  has  one  of  the  strongest 
balance  sheets  in  the  industry. 

Don’t  just  take  our  word  for  it.  Visit  our  web  site  and  discover  what 
the  Chicago  Board  Options  Exchange,  Looksmart,  the  Philadelphia 
Stock  Exchange,  RM  Crowe,  Shearman  &  Sterling,  Fitch  Ratings, 
Telezoo  and  so  many  others  have  to  say  about  working  with  SAVVIS. 


Trust  the  Network  that  Powers  Wall  Street 

to  Empower  your  Business.5' 


AS  ONE  OF  THE  NATION’S 
LARGEST  INSURANCE 
COMPANIES,  USAA  IS  IN  THE 
BUSINESS  OF  MANAGING 
RISK.  SO  IT  MAKES  SENSE 
THAT— WHEN  FACED  WITH 
A  DISASTER-THE  COMPANY 
KNOWS  HOW  TO  RESPOND. 

BY  DAINTRY  DUFFY 


■  IN  THIS  STORY:  How  to  develop 
contingency  plans  that  fit  your  company’s 
risk  tolerance  ■  Why  IT  and  physical 
security  operations  need  to  interact 


ftafr?.-* 


-Wrif’ 


-  1 


i 


JULY  24,  2002 

IT’S  5:30  a.m.,  and  USAA’s  top  executives  and 
their  staff  are  summoned  to  company  headquarters. 

In  a  room  flanked  by  computers,  650  of  USAA’s  executives  and 
staff  have  gathered  to  hear  a  terse  announcement  by  the  com¬ 
pany’s  CIO,  Steve  Yates.  “A  major  U.S.  bank  has  just  reported  a 
bomb  at  its  headquarters,”  he  says. 

Outside,  employees  are  starting  a  normal  workday,  slowly 
trickling  in  to  USAA’s  sprawling  286-acre  San  Antonio  campus. 
To  them,  it’s  just  another  hot,  muggy  day,  the  kind  that  one 
expects  at  the  end  of  July  in  south  Texas.  But  deep  below  the 
company’s  headquarters— in  a  concrete  bunker  built  to  with¬ 
stand  a  Force  3  tornado  or  a  direct  hit  from  a  727— things  are 
anything  but  normal. 

The  day  before,  the  corporate  situation  management  team 
(CSMT),  composed  of  business  unit  representatives  and  many 
of  the  company’s  executive  counsel— along  with  staff  members 
from  finance,  human  resources,  e-business,  general  counsel  and 


L  M'.iU  1  , 


mam m 


W  - 


yM  Km . 


m 


*  $ 


6! 


rJ  g  Wf  * 


Cover  Story  |  Business  Continuity 


corporate  communications— 
were  told  that  the  FBI  was 
warning  of  possible  terrorist 
activity  at  financial  institu¬ 
tions  planned  for  July  24.  In 
addition,  a  hurricane  was 
reported  to  be  forming  off’ the 
Virginia  coast,  posing  a  poten¬ 
tial  threat  to  USAA’s  Norfolk 
office. 

Yates’s  report  hushes  the 
room.  “We  have  a  live  event,” 
he  tells  them,  setting  off  a 
flurry  of  activity  as  the  team 
shifts  into  response  mode. 

In  truth,  however,  there 
was  no  live  event.  This  was 
only  part  of  a  drill,  an  elabo¬ 
rate  business  continuity  exer¬ 
cise  USAA  had  devised  to 
teach  its  executives  and  employees  to  deal  with 
disasters— everything  from  anthrax  and  bombs 
to  an  outbreak  of  severe  food  poisoning.  Before 
this  daylong  exercise,  the  company’s  employees 
knew  they  would  be  participating  in  a  drill. 
What  they  didn’t  know,  however,  was  the  exact 
nature  of  the  “emergencies”  they  would  face 
throughout  the  day. 

While  USAA’s  approach  to  continuity  plan¬ 
ning  is  extreme,  so  are  the  stakes.  This  For¬ 
tune  200  company  manages  $64  billion  in 
assets.  Its  Texas  campus  houses  16,000  to 
20,000  people  on  any  given  day— roughly  the 
same  number  of  people  who  work  in  down¬ 
town  San  Antonio.  With  5  million  square  feet 
of  office  space,  it  is  one  of  the  largest  hori¬ 


zontal  office  buildings  in  the 
world  (second  only  to  the 
Pentagon).  So  if  a  major 
security  event  ever  hit  the 
facility,  significant  casualties 
are  a  possibility.  USAA  pro¬ 
vides  property,  casualty  and 
life  insurance  and  banking, 
brokerage  and  investment 
management  services,  pri¬ 
marily  to  members  of  the 
military  and  their  families. 
So,  as  an  insurer,  USAA  is 
also  in  the  risk  management 
business  and  has  significant 
experience  dealing  with  un¬ 
anticipated  disasters. 

While  few  CSOs  could 
afford  to  run  exercises  this 
elaborate,  even  those  execu¬ 
tives  swimming  in  the  shallow  end  of  the  risk 
pool  can  learn  some  lessons  from  observing 
these  well-planned  war  games.  This  story 
looks  at  how  USAA  developed  a  contingency 
plan  that  suited  its  risk  model  and  how  other 
CSOs  can  determine  where  they  and  their 
company  belong  on  that  continuum. 

It’s  7:15  a.m.  A  bomb  is  found  at  the 

headquarters  of  a  major  East  Coast  bank. 

Reporting  to  the  corporate  situation  manage¬ 
ment  team  are  individual  business  unit  SMTs 
that  relay  to  the  top  executives  in  the  com¬ 
mand  center  what’s  happening  and  keep  the 
business  units  functioning  when  an  emer¬ 
gency  hits.  Each  SMT  is  composed  of  three 


smaller  teams— red,  white  and  blue— that 
alternate  shifts. 

As  each  new  event  is  thrown  into  the  sce¬ 
nario,  the  SMTs  face  the  challenge  of  trying  to 
understand  its  implications  for  their  business 
unit,  not  only  from  a  human  perspective  but 
also  from  a  customer  support  perspective. 
Yates  points  out  that  the  company  is  often 
dealing  in  “live-money”  transactions,  where 
members  (USAA’s  term  for  customers)  want 
to  sell  stock,  transfer  money  or  get  cash  right 
away.  In  an  emergency,  in  particular,  people 
want  access  to  their  money,  and  in  those  situ¬ 
ations  USAA  can’t  afford  to  be  unavailable. 

’s  9  a.m.  a  loud  explosion  is  heard  in 
the  building.  Several  casualties  are  reported. 

USAA  has  learned  to  embrace  Murphy’s  Law. 
“In  combat,  anything  that  can  go  wrong  will,” 
says  Yates.  “So  you  need  to  be  working  on 
instinct  and  training  rather  than  emotion  and 
fear.”  Many  of  the  events  that  were  injected 
into  the  exercise  were  done  so  precisely  to  test 
that  training. 

In  an  emergency,  company  leaders  won’t 
always  be  available.  This  is  a  principal  tenet  in 
USAA’s  approach  to  continuity  planning.  The 
CSMT  executives  held  a  lottery  first  thing  in 
the  morning  to  simulate  this  loss  of  leadership, 
and  they  removed  three  executives  from  the 
exercise.  Other  individuals  had  to  unexpect¬ 
edly  take  over,  testing  their  ability  to  suddenly 
lead  without  relying  on  the  executive  staff  for 
guidance. 

Moreover,  business  unit  SMTs  working 
inside  the  “bombed”  building  also  had  to  sim- 


USAA 


HEADQUARTERS 

San  Antonio 

t  •  •  .  • 

CORE  BUSINESS 

Provides  property,  casualty 
and  life  insurance  and  banking, 
discount  brokerage,  and 
investment  management  serv¬ 
ices— primarily  to  members  of 
the  military  and  their  families 

FOUNDED  1922 

EMPLOYEES  22,000 

CUSTOMERS 

More  than  4.7  million 

CHAIRMAN  &  CEO  Bob  Davis 
CIO  Steve  Yates 

ASSISTANT  VP  OF  BUSINESS 
CONTINUATION  John  Blaha 

ASSISTANT  VP  OF  SECURITY 

Pete  Hugdahl 


Building  a  Ran 

If  things  are  going  perfectly,  the  people 
at  USAA  think  they’re  not  pushing 
hard  enough 


Live  exercises  were  confined  to  the  company’s  technology 
assets  where  they  would  conduct  periodic  data  recovery  tests  of 
different  business  units— like  taking  a  piece  of  the  life  insurance 
department  and  recovering  it  from  backup  data. 

In  truth,  Yates  wondered  if  such  passive  exercises  reflected 
reality.  He  also  wondered  if  USAA's  employees  would  really  know 
how  to  follow  such  a  plan  in  a  real  emergency.  "Could  the  company 
really  withstand  something  massive  instead  of  minor?"  he  asked. 
When  Sept.  11  came  along,  he  realized  the  company  had  to  do 
more.  “Sept.  11  forced  us  to  raise  the  bar  on  ourselves."  says  Yates. 

So  he  engaged  outside  consultants  who  suggested  that  the 
company  build  a  second  data  center  in  the  area  as  a  backup.  After 
weighing  the  costs  and  benefits  of  such  a  project,  USAA  initially 
concluded  that  it  would  be  more  efficient  to  rent  space  on  the 


WHEN  CIO  STEVE  YATES  joined  USAA 
three  years  ago,  the  company’s  business 
continuity  exercises  were  only  on  paper. 

Every  year  or  so,  the  top-level  staffers 
gathered  in  a  conference  room  to  role-play;  they'd  spend  a  day 
examining  different  scenarios,  talking  them  out—  discussing  how 
they  thought  the  procedures  should  be  defined  and  how  they 
thought  people  would  respond  to  them. 


STEVE  YATES 


40  www.csoonline.com  November  2002 


ulate  that  team  members  were  lost.  The  sur¬ 
viving  members  of  each  group  had  to  figure 
out  how  to  carry  on  without  those  coworkers. 
On  the  IT  department’s  team,  for  example, 
the  entire  group  responsible  for  relocating 
workstations  during  the  exercise  was  declared 
dead.  In  other  cases,  evacuations  forced  the 
situation  management  team  members  out 
onto  the  lawn  where  they  had  to  try  to  keep 
their  business  unit  functioning  and  their 
employees  organized  via  cell  phone. 

The  series  of  evacuations  actually  produced 
one  of  the  event’s  most  interesting  lessons. 
The  employees  of  USAA’s  life  insurance  unit 
were  evacuated  from  their  building  and  were 
supposed  to  be  relocated  to  another  area 


where  IT  was  setting  up  computers  and 
phones  for  them.  But  the  process  would  take 
almost  two  hours.  During  that  time,  employ¬ 
ees  would  be  standing  on  the  lawn  in  the  hot 
Texas  sun.  An  executive  in  the  CSMT  ques¬ 
tioned  leaving  them  out  there.  Was  there  a 
safer  place  to  put  those  employees  in  the 
interim?  How  should  USAA  determine  if  or 
when  employees  could  be  allowed  back  in  the 
building?  How  would  thousands  of  people 
access  their  vehicle  if  their  car  key  was  still  sit¬ 
ting  on  their  desk?  And  was  there  an  alternate 
transportation  plan  if  the  company  needed  to 
send  employees  home?  Just  imagine  trying 
to  quickly  evacuate  a  football  stadium  full  of 
people,  and  you  can  see  the  challenges. 


USAA  CIO  STEVE  YATES  (FAR  LEFT)  BEGINS  THE 
simulation  by  establishing  a  command  center 
where  he  briefs  members  of  the  corporate  situation 
management  team.  Incident  command  posts  are 
posted  within  the  organization,  as  well  as  on  the 
grounds,  to  facilitate  orderly  evacuations. 


East  Coast.  But  after  the  attack  on  the  World  Trade  Center  and 
Pentagon,  when  air  traffic  came  to  a  halt,  Yates  knew  it  was 
foolhardy  to  have  a  data  center  so  far  away.  Ironically,  USAA 
was  set  to  sign  the  lease  contract  the  week  of  Sept.  11. 

Instead,  USAA  built  a  center  in  Texas,  only  200  miles  away— 
close  enough  to  drive  to  but  on  a  different  power  grid  and  water 
supply  from  its  San  Antonio  building.  The  company  has  also 
made  plans  to  deploy  critical  employees  to  other  office  locations 
around  the  country. 

Yates  made  site  visits  to  companies  such  as  FedEx,  First 
Union,  Merrill  Lynch  and  Wachovia  to  hear  about  their  approach 
to  contingency  planning.  USAA  also  consulted  with  PR  firm 
Fleishman-Hillard  about  how  USAA,  in  a  crisis  situation,  could 
communicate  most  effectively  with  its  customers  and  employees. 


Finally,  Yates  decided  to  put  together  a  series  of  large-scale 
business  continuity  exercises  designed  to  test  the  performance 
of  individual  business  units  and  the  company  at  large  in  the  event 
of  wide-scale  business  disruption.  In  March,  the  company  simu¬ 
lated  a  loss  of  the  primary  data  center  for  its  federal  savings  bank 
unit  and  recovered  the  systems,  applications  and  all  19  of  the 
third-party  vendor  connections.  In  July  and  August,  it  ran  similar 
exercises  with  other  business  units. 

For  the  main  event  on  July  24,  2002,  however,  Yates  didn’t  want 
to  test  only  the  company’s  technology  procedures,  he  wanted  to 
incorporate  the  most  unpredictable  element  in  any  contingency 
planning  exercise:  the  people.  -D.D. 


November  2002  www.csoonline.com 


m 


S 


/  *  A' 

f  4fi 


-t  a 


U^"9  °PP°rtuni!h?r^eC 
self  cftnfcjy* 


'<>rd  all  even 
lectiva^ 


/  ahdaj 


Business  Continuity  Planning:  How  Much  Is  Right  for  You? 


•«  'd*  4  £  4}  \  frV 

IN. 


THE  ELABORATE  machinations 
that  USAA  goes  through  in 
developing  and  testing  its  con¬ 
tingency  plans  might  strike  the 
average  CSO  as  a  bit  over  the 
top.  After  all.  HazMat  training 
and  an  evacuation  plan  for 
20,000  employees  is  not  a 
necessity  for  every  company. 
Like  much  of  security,  the  issue 

of  continuity  planning  comes 

.  • 


down  to  basic  risk  management: 
How  much  risk  can  your  com¬ 
pany  tolerate,  and  how  can  that 
risk  can  be  effectively  miti¬ 
gated? 

In  planning  for  the  unex¬ 
pected,  companies  have  to 
weigh  the  risk  versus  the  cost 
of  creating  such  a  contingency 
plan.  It’s  a  trade-off  that  Pete 

*  v  *  •>  i  . 

Hugdahl,  USAA’s  assistant  vice 


president  of  security,  frequently 
confronts.  "It  gets  really  diffi¬ 
cult  when  the  cost  factor 
comes  into  play,”  he  says.  “Are 
we  going  to  spend  $100,000  to 
fence  in  the  property?  How  do 
we  know  if  it’s  worth  it?” 

And— make  no  mistake— 
there  is  no  absolute  answer. 
Whether  you  spend  the  money 
or  accept  the  risk  is  an  execu¬ 


tive  decision.  However,  USAA 
has  found  that  testing  your 
plan  is  an  inexpensive  and 
important  step. 

Here’s  a  contingency 
planning  toolkit: 

1  Develop  and  practice  a 
contingency  plan  that 
includes  a  succession  plan 
for  your  CEO. 


42  www.csocnline.com  November  2002 


EMERGENCY  RESPONSE  TEAMS  DEAL  WITH 
“injured"  employees,  providing  guidance,  trauma 
care  and  counsel.  As  employees  evacuate  their 
offices,  they  are  greeted  by  the  spray  of  a 
decontamination  hose— just  in  case. 


It’s  11:30  a.m  ■  The  hurricane  has 

reached  Category  4  and  is  projected  to  make 
landfall  on  the  Virginia  coast  at  4:30  p.m.  Even 
though  weather  and  on-campus  chaos  were 


intentionally  thrown  into  the  exercise,  reality 
also  presented  its  own  challenges. 

A  bona  fide  emergency  call  actually  came  in 
during  the  July  24  drill  when  a  suspicious 
substance  was  found  in  the  company’s  cash 
processing  center.  The  USAA  staff  reacted 
appropriately.  To  avoid  confusion,  employees 
had  been  instructed  to  say,  “This  is  the  exer¬ 
cise,”  before  exchanging  information  about 
the  different  scenarios  so  that  everyone  would 
understand  what  was  real  and  what  was  sim¬ 
ulated.  As  a  result,  no  one  was  confused  when 
the  real  call  came  in.  “Within  minutes,  we  had 
guys  suited  up,  the  security  team  in  force,  and 
the  area  cordoned  off,”  says  Wayne  Peacock, 
the  senior  vice  president  of  corporate  real 


irs  io:3U  a.m  ■  The  CEO  has  been 

confirmed  dead.  In  one  very  high-profile  fatal¬ 
ity,  Yates’s  exercise  “killed  off’  the  company’s 
CEO  (whose  body  was  discovered  in  the  wake 
of  one  of  the  explosions).  “We  did  that  to  let 
his  succession  plan  unfold,”  says  John  Blaha, 
USAA’s  assistant  vice  president  of  business 
continuation.  The  property  and  casualty  SMT 
ran  through  some  of  the  steps  it  would  have  to 
take  in  such  an  event— like  notifying  the  state’s 
insurance  commissioner. 


2  Train  backup  employees  to 
perform  emergency  tasks. 
The  employees  you  count  on  to 
lead  in  an  emergency  won’t 
always  be  available. 

3  Consider  creating  offsite 
crisis  meeting  places  for 
top  executives. 

4  Make  sure  average  employ¬ 
ees— as  well  as  executives— 
are  involved  in  the  exercises  so 


that  they  get  practice  in  re- 
sponding  to  an  emergency  and 
following  orders  in  chaos. 

5  Make  exercises  realistic 
enough  to  tap  into  employ¬ 
ees'  emotions  so  that  you  can 
see  how  they’ll  react  when  the 
situation  gets  stressful. 

6  Practice  crisis  communica¬ 
tion  with  employees,  cus¬ 
tomers  and  the  outside  world. 


7  Invest  in  an  alternate  means 
of  communication  in  case 
the  phone  networks  go  down. 


8  Form  partnerships  with 
local  emergency  response 
groups— firefighters,  police  and 
EMTs— to  establish  a  good 
working  relationship.  Let  them 
become  familiar  with  your 
company  and  site. 

■  . 

y  i  .  -i5r  vii 

■  .  :  . 

.  '  ,  .  '  •'  V; 


9  Evaluate  your  company’s 
performance  during  each 
test,  and  make  changes  to  en¬ 
sure  constant  improvement. 
Continuity  plans  should  reveal 
weaknesses. 


W  Regularly  test  your 

continuity  plan  to  reveal 
and  accommodate  changes. 
Technology,  personnel  and  facili¬ 
ties  are  in  a  constant  state  of 

flux  at  any  company.  -D.D. 

l  V  '!  2  V  .  •  - 


November  2002  www.csoonline.com  43 


uated.  Performance  Measurement  Analyst 
Dave  Terris’s  eye  was  impaled  by  a  sharp  nee¬ 
dle,  and  Bill  Blauser,  a  business  project  man¬ 
ager,  had  an  abdominal  hemorrhage.  Denise 
Ezquerra,  a  billing  support  manager,  was 
stricken  with  what’s  termed  sludge  (you  don’t 
want  to  know)  as  a  result  of  anthrax  expo¬ 
sure.  To  further  the  role-playing,  the  employ¬ 
ees  had  been  coached  as  to  how  people  with 
those  wounds  would  react.  Obviously,  the 
evacuated  employees  knew  that  the  situation 
was  fake,  but  the  moaning  and  pleas  for  help 
from  their  injured  coworkers  added  a  dose  of 
reality,  and  also  gave  USAA’s  safety  and  envi¬ 
ronmental  affairs  group  a  chance  to  practice 
maintaining  employee  calm. 


Story  |  Business  Continuity 


To  add  to  the  realism,  em¬ 
ployees  exposed  in  the  mock 
anthrax  attack  had  to  go 
through  a  decontamination 
shower  set  up  for  possible  haz¬ 
ardous-material  exposure  (em¬ 
ployees  were  forewarned  to 
wear  bathing  suits).  They  were 
then  escorted  by  specially 
trained  USAA  employees  who 
guided  them  into  a  HazMat  tent 
for  further  decontamination. 
After  leaving  the  tent,  injured 
employees  were  escorted  to 
tarps  where  USAA’s  medical 
personnel  were  on  hand  to 
patch  up  the  wounded.  While 
staffers  rehearsed  the  evacua¬ 
tion  and  decontamination 
process,  small  groups  of  USAA 
employees  acted  as  observers, 
making  notes  about  possible  improvements. 

Far  from  resenting  these  elaborate  machi¬ 
nations  and  the  time  away  from  their  job, 
USAA  employees  are  enthusiastic  about  these 
exercises.  “Before  9/11,  if  you  conducted  a  fire 
drill,  people  ignored  it,”  says  Wendi  Strong, 
senior  vice  president  of  corporate  communi¬ 
cations.  “But  now  they  don’t  see  it  as  an  incon¬ 
venience;  it’s  a  valued  exercise— something 
that  their  employer  is  doing  to  protect  them.” 


It’s  1:30  p.m.  Local  news  stations 

are  onsite  requesting  a  human  interest  story. 

In  a  crisis,  communication  is  often  the  first 
part  of  the  corporate  machineiy  to  break  down. 
Recognizing  this,  USAA  has  put  a  great  deal  of 


estate.  Although  ultimately  it  turned  out  to 
be  a  false  alarm,  Peacock  was  impressed  with 
the  employees’  ability  to  quickly  take  what 
they  were  practicing  and  apply  it  in  real  life. 

It’s  12:45  p.m.  Employees  begin  to 

evacuate  the  campus.  Part  of  continuity  plan¬ 
ning  involves  preparing  for  the  unknown.  The 
goal  at  USAA  was  to  begin  challenging  peo¬ 
ple’s  emotions  so  that  they  could  learn  how 
they  would  react  and  then  plan  for  that  reac¬ 
tion.  Beyond  faking  deaths,  the  scheme  called 
for  simulated  injuries.  Courtesy  of  some  art¬ 
fully  applied  makeup,  a  dozen  employees  were 
gashed,  caked  with  blood  and  placed  on  the 
lawn  where  other  employees  were  being  evac¬ 


Cover  Story  |  Business  Conti 


ESTABLISHING  RELATIONSHIPS  WITH 
local  paramedics  is  an  integral  part  of 
USAA’s  disaster  planning. 


time  and  money  into  building  as 
many  avenues  and  techniques  for 
emergency  communication  as 
possible.  “We’re  highly  depend¬ 
ent  on  our  internal  communica¬ 
tions  network— video,  e-mail, 
telephones  and  intercom,”  says 
Yates.  “If  we  had  something  really  bad  happen, 
all  wires  might  be  cut  and  we  could  have  thou¬ 
sands  of  people  wondering  what  to  do.”  Dur¬ 
ing  the  exercise,  the  SMTs  experimented  with 
using  both  cell  phones  and  walkie-talkies  to 
communicate  with  each  other.  In  addition,  the 
company  bought  18  satellite  phones— at 
$1,250  each— and  dispersed  them  among  sen¬ 
ior  staff  in  the  event  that  the  whole  phone  net¬ 
work  goes  down. 

The  company  also  has  what  Blaha,  a  for¬ 
mer  NASA  astronaut,  refers  to  as  the  No- 
Comm  (no  communication)  plan.  The  senior 
staff  and  SMT  members  have  laminated  white 
cards  with  directions  written  on  them  to  point 
executives  to  a  location  where  they  can  go  to 
meet  up  with  the  rest  of  their  team  in  the  event 
that  something  massive  in  scale  occurs  and 
the  phones  are  jammed. 

Not  only  is  it  important  to  know  how  to  com¬ 
municate  in  crisis,  it’s  also  critical  to  know  what 
to  communicate.  Strong  wanted  to  test  and 
find  out  how  quickly  her  corporate  communi¬ 
cations  team  could  draft  a  message  as  well  as 
what  kind  of  language  they  would  use  under 
pressure.  So  during  the  exercise,  Strong  and 
her  group  practiced  what  they  would  say  to  the 
company’s  employees  and  customers.  They 
wrote  memos  and  press  releases  and  commu¬ 
nicated  updates  to  employees  over  a  limited 
number  of  public  announcement  systems. 

Strong  had  the  CFO  go  to  an  on-campus 
studio,  where  USAA  has  its  own  closed-circuit 


television  system,  so  that  he  could  record  a 
message  to  the  employee  population.  This 
exercise  gave  Strong  a  chance  to  test  these 
messages  with  a  number  of  employees  to  see 
how  they,  in  turn,  would  react  to  certain  kinds 
of  language. 

It’s  3  p.m.  The  exercise  ends.  How  did 
they  fare?  The  July  24  exercise  was  the  largest 
the  company  had  ever  done  and  the  first 
time  it  had  included  the  San  Antonio  fire 
department  and  EMTs  in  a  broadscale  drill. 
During  the  exercise,  the  fire  department 
helped  evacuate  employees  and  get  them  to 
medical  assistance,  and  it  also  had  the  oppor¬ 
tunity  to  interact  with  USAA’s  own  emergency 
personnel. 

Now,  if  a  real  emergency  occurs,  the  part¬ 
nership  USAA  has  built  with  the  city  will  ben¬ 
efit  both  groups.  “The  city  fire  officials  have 
seen  our  folks  face-to-face;  they’ve  talked  and 
worked  together.  It’s  not  just  Captain  So  and 
So,”  says  Blaha.  “There’s  no  question  that 
because  of  what  we  did  here,  if  we  had  a  real 
disaster  next  week,  we’d  work  better  with  the 
city.  We’d  certainly  minimize  injury  to  em¬ 
ployees  and  emergency  workers,  and  our 
company  would  recover  faster.” 

At  the  end  of  the  day,  all  the  teams  talked 
through  the  major  lessons  learned,  highlight¬ 
ing  areas  where  improvements  should  be  built 
into  the  company’s  continuity  plan.  The  next 
morning  another  meeting  was  held  to  ana¬ 


lyze  the  exercise  at  a  deeper  level,  and  each  sit¬ 
uation  management  team  presented  the  top 
three  problems  it  had  encountered  along  with 
a  plan  to  fix  them.  The  company  documented 
all  of  those  findings  and  actions,  and  set  a 
turnaround  time  of  one  month  to  implement 
the  fixes. 

Obviously,  continuity  plans  cannot  exist 
only  on  paper.  Regularly  putting  them  into 
practice  lets  the  company  see  how  it  wrould 
function  in  a  real  situation.  USAA  plans  to 
continue  running  full-scale  exercises  at  least 
once  a  year,  with  smaller  exercises  every  few’ 
months.  “There  are  so  many  interdependen¬ 
cies  today.  It’s  not  just  a  physical  security 
issue,  it’s  not  just  a  technology  issue,  it’s  not 
just  a  line  of  business  issue,  and  it’s  not  just  a 
corporate  issue,”  says  Peacock.  “They’re  all 
going  on  at  the  same  time.  On  paper,  you  can 
guess  at  how  they  fit  together  and  how  they 
interrelate,  but  until  you’ve  actually  gone 
through  the  exercise,  you  don’t  see  how  it 
might  unfold.  The  more  times  you  do  it,  the 
better  prepared  you’ll  be.”  ■ 

Share  your  perspective  on  business  continuity  planning  with 
Senior  Editor  Daintry  Duffy  at  dduffy?  cxo.com. 


Read  TRENDS  IN  BUSINESS  CONTINUITY 
PLANNING:  NOT  WHAT  EVERYONE  EXPECTED. 

a  CSOonline  analyst  report  from  Giga  Information 
Group,  to  learn  more  about  business  continuity 
strategies.  Go  to  www.csoonline.com/printlinks. 


44  www.csoonline.com  November  2002 


Secure  your  entire  network. 

Today  complete  security  means  protecting  data  and 
voice,  along  with  everything  else  your  network 
currently  Includes.  Having  the  right  firewall  or  even 
securing  your  wireless  LAN’s  and  VPN’s  for  data  is 
just  a  starting  point.  With  the  possibility  of  threats 
like  accessing  stored  voicemails  or  intercepting 
IP  Telephony  traffic  looming  over  your 
network,  you  need  complete  multi-vendor,  multi¬ 
technology,  multi-applications  security  consultancy. 
Protect  all  your  points. 

Introducing  the  Avaya  Enterprise  Security  Practice. 
Our  Security  Consultants  offer  expertise  in  voice,  data,  and 
converged  networks,  with  both  technology  and  vertical 
certifications.  Avaya  helps  secure  internal  and  external 
points  of  access,  including  IP  Telephony  Messaging 
and  CRM,  as  well  as  VPN’s,  wireless  LAN’s  and  PBX’s. 


HHp  :  7  ..  $  ii| /'V;  V'.v.v  - 

With  communications  WHICH  PART  OF  YOUR  NETWORK  IS  LEAVING 

networks  now  made  YOUR  BUSINESS  OPEN  TO  BREACHES  IN  SECURITY? 

up  of  multiple  inter- 


mmm 


connected  parts,  it's  no  longer  safe  to  just  protect 
individual  pieces  of  them.  That's  why  you  need 
Avaya,  the  company  that  can  assess,  develop  poli¬ 
cy  and  design  security  for  your  whole  network. 


Ensure  your  company’s  future. 

Don’t  leave  your  communications  network  unprotected. 
Prepare  for  today’s  rapid  changes  in  network  security 
and  sign  up  for  our  Web  Event  at  avaya.com/secure 

AVAyA 

COMMUNICATION  WITHOUT  BOUNDARIES 


For  corporate  America,  a  new  exemption  to  the  Freedom  of 
Information  Act  is  a  comforting  notion— but  one  that’s  vastly 
misunderstood.  Here’s  what  FOIA  is  and  what  it  isn’t. 

By  Sarah  D.  Scalet 


EARD  THE  ONE 
about  the  CSO  who  declared  FOIA  his  top 
policy  concern— and  then  admitted  he  didn’t 
really  know  what  FOIA  was? 

OK,  it’s  not  so  funny.  But  neither  is  mess¬ 
ing  with  the  Freedom  of  Information  Act 
(FOIA),  the  35-year-old  rule  book  on  how 
members  of  the  public  can  access  government 
records  on  anything  from  suspected  alien 
activity  to  demographics  about  Zantac. 

Well,  not  just  anything.  FOIA  has  its  lim¬ 
its-nine  of  them,  to  be  exact,  in  the  form  of 
exemptions  intended  to  protect  national  secu¬ 
rity  and  other  necessarily  private  machina¬ 
tions  of  the  government.  But  if  businesses  get 
their  way— and  it  looks  like  they  will— a  new 
FOIA  exemption  will  soon  be  law.  In  July,  as 
part  of  the  Homeland  Defense  bill,  the  House 


of  Representatives  passed  legislation  that 
would  protect  companies  that  voluntarily 
share  physical  and  computer-related  critical 
infrastructure  information  with  the  govern¬ 
ment.  The  Senate  agreed  on  a  similar  provi¬ 
sion  as  an  amendment  to  its  Homeland 
Security  bill.  At  press  time,  the  Senate  legis¬ 
lation  was  stalled  because  of  unrelated 
concerns,  but  the  FOIA  exemption  seemed 
poised  to  become  a  reality,  if  not  this  year 
then  next. 

For  people  like  Bruce  Bonsall,  CISO  of  the 
MassMutual  Financial  Group  in  Springfield, 

■  IN  THIS  STORY:  What  the  Freedom  of 
Information  Act  really  says  and  how  the  new 
FOIA  exemption  can  benefit  CSOs 


Mass,  (and  one  practitioner  who  does,  in  fact, 
understand  FOIA),  the  new  exemption  can’t 
come  soon  enough.  “Information  is  power, 
and  we  just  don’t  want  to  share  powerful 
information  that  relates  to  our  vulnerabilities 
with  anyone  other  than  people  we’re  collabo¬ 
rating  with  to  protect  critical  infrastructures. 
That’s  tipping  our  hand,”  Bonsall  says.  He  and 
others  fear  that  if  they  share  details  about  net¬ 
work  threats  and  vulnerabilities  with  the  gov¬ 
ernment,  then  journalists,  watchdog  groups, 
competitors  or  even  terrorists  will  use  FOIA  to 
access  that  information.  The  result?  Embar¬ 
rassment,  possible  litigation  and  clues  for 
ne’er-do-wells  who  want  to  attack  a  company’s 
system  or  ruin  its  business  plan. 

But  critics  worry  that  a  new  exemption 
would  create  w'hat  Rep.  Janice  Schakowsky 


46  www.csoonline.com  November  2002 


ILLUSTRATION  BY  ALEX  NABAUM 


vmmmms 


/  m 

/  ■  jHL 

v  $■:  ■  twA 

I  1 

m  \  ;M  •$! is 

Federal  Legislation 


(D-Ill.)  has  called  “a  loophole  big  enough  to 
drive  any  corporation  and  its  secrets  through.” 
They  say  companies  will  misuse  the  new 
exemption  to  hide  misdeeds  and  protect 
themselves  from  negligence  lawsuits— con¬ 
cerns  underscored  by  years  of  tangling 
between  environmental  advocates  and  the 
energy  industry  over  what  public  safety 
records  should  be  made  public. 

The  Bush  administration,  meanwhile,  has 
taken  an  odd  middle  ground,  arguing  that  a 
new  FOIA  exemption  is  at  once  necessary  and 
unnecessary.  “Our  lawyers  say  the  law,  as  cur¬ 
rently  written,  would  allow  us  to  protect  that 
information,”  says  Richard  Clarke,  President 
Bush’s  top  cybersecurity  adviser.  “But  that 
doesn’t  persuade  companies  to  give  us  the 
information.  Their  lawyers  believe  they  need 
additional  protection;  therefore  we  need  to 
get  additional  protection.” 

As  the  debate  rages,  CSOs— even  those  who 
admit  privately  that  they  don’t  understand 
FOIA— have  been  able  to  use  the  proposed 
exemption  as  an  easy  excuse  for  not  yet  part¬ 
nering  with  the  government  on  protecting  the 
nation’s  privately  held  energy,  communica¬ 
tions,  financial  and  other  critical  systems. 

That  won’t  be  true  for  long.  And  only  CSOs 
who  understand  FOIA  and  its  exemptions, 
both  new  and  old,  will  be  able  to  help  evalu¬ 
ate  their  company’s  risk  of  exposure. 


ESTABLISHED  IN  SECTION  552  OF  TITLE  5 

of  the  United  States  Code,  the  Freedom  of 
Information  Act  (FOIA,  sometimes  pro¬ 
nounced  foy-uh )  was  passed  under  the  prem¬ 
ise  that  sunlight  is  the  best  way  to  dispel 
chicaneiy  in  every  corner  of  the  government. 
FOIA  creates  procedures  for  members  of  the 
public  to  write  to  a  federal  department  or 
agency,  describe  specific  information  that  they 
believe  the  agency  has  on  file,  and  request 
photocopies  of  the  records.  Best  known  as  a 
tool  for  gumshoe  journalists  and  conspiracy 
theorists,  FOIA  is  also  used  by  advocacy 
groups,  government  watchdogs,  academic 
researchers,  businesses,  lawyers  and  all  kinds 


of  curious  individuals,  U.S.  citizens  or  not.  In 
2001  alone,  196,917  FOIA  requests  were  filed 
by  people  who  wanted  everything  from  details 
about  deported  refugees  to  product  safety 
records  to,  yes,  suspected  UFOs. 

Although  current  talk  about  FOIA  centers 
on  public  access  to  information,  the  legislation 
was  born  half  a  century  ago  in  a  power  strug¬ 
gle  between  the  executive  and  legislative 
branches  of  the  U.S.  government.  When  the 
Eisenhower  administration  fired  alleged  Com¬ 
munists  in  the  early  ’50s,  Rep.  John  E.  Moss 
(D-Calif.),  head  of  the  Special  Government 
Information  Subcommittee,  asked  for  details 
about  who  was  fired  and  why. 

“They  wouldn’t  tell  him,”  says  Thomas  S. 
Blanton,  director  of  the  National  Security 
Archive,  an  independent  research  organization 
at  The  George  Washington  University.  That 
was  just  one  of  the  reasons  the  Democrat-led 
Congress  began  a  battle  to  get  the  Republican 
White  House  to  share  information  with  Con¬ 
gress.  In  hearings  held  into  the  next  decade— 
and  cheered  on  by  newspapers  that  argued  for 
the  public’s  “right  to  know”— members  of  Con¬ 
gress  showed  a  record  of  government  cover- 
ups  intended  to  protect  not  national  security 
but  bureaucratic  embarrassment. 

But  when  the  Democrats  took  power  in 
1961,  President  Kennedy  and  Vice  President 
Johnson  had  their  own  reasons  for  not  want¬ 
ing  FOIA  to  pass.  Legislation  stalled  until  July 
4,  1966,  when  Johnson,  by  then  president, 
reluctantly  signed  the  FOIA  into  law.  “It  was 
only  grudgingly  that  Johnson  signed  FOIA,” 
Blanton  says.  “One  more  day  and  it  would 
have  been  a  pocket  veto.  There  was  no  signing 
ceremony,  which  was  unusual.” 

FOIA  lacked  teeth  at  first,  because  people 
whose  FOIA  requests  were  denied  had  no 
recourse.  Then,  the  Watergate  scandal  again 
forced  Congress’s  hand.  In  1974,  a  Democra¬ 
tic  Congress  overrode  President  Ford’s  veto 
and  passed  an  amendment  saying  that  judges 
must  review  the  claims  of  FOIA  requesters 
rather  than  dismissing  them  on  the  basis  of  an 
affidavit  filed  by  the  government  agency. 

These  days,  an  agency  technically  has  10 
working  days  to  respond  to  an  initial  FOIA 
request.  Overloaded  FOIA  officers  might  re¬ 
spond  that  it  will  take  longer,  even  months,  to 
fill  the  request.  They  might  respond  that  the 
description  is  inadequate  or  that  the  infor¬ 


mation  does  not  exist.  And  they  might  also 
deny  the  request  on  the  basis  of  one  of  the 
nine  exemptions.  For  example,  records  that 
might  damage  national  security  are  exempt 
from  FOIA  requests,  as  are  details  about  law 
enforcement  investigations  (although  court 
documents  are  part  of  the  public  record).  If  a 
FOIA  request  is  denied  on  the  basis  of  one  of 
the  exemptions,  the  requesting  individual  can 
go  through  an  appeals  process  that  could  end 
up  with  a  judge  determining  whether  the 
information  should  be  released. 

The  process,  while  cumbersome,  can  pay 
off.  In  recent  years,  FOIA  requests  have  led  to 
the  disclosure  of  files  about  the  assassination 
of  President  Kennedy,  geographical  statistics 
about  children  who  were  prescribed  Ritalin 
and  details  about  Vice  President  Dick 
Cheney’s  task  force— in  which  case  two 
groups,  the  Natural  Resources  Defense  Coun¬ 
cil  and  Judicial  Watch,  filed  suit  to  get  the 
Department  of  Energy  and  White  House  to 
release  the  records. 

Who  Wants 
What? 

ALTHOUGH  FOIA  WAS  INTENDED  TO  LET 

citizens  keep  an  eye  on  the  federal  govern¬ 
ment,  during  the  years  it  has  morphed  into  a 
time-consuming  process  used  less  often  by 
deadline-driven  journalists  and  more  often 
by  businesses  doing  competitive  research. 
“That  was  definitely  not  the  intention,”  says 
Herbert  Foerstel,  a  retired  librarian  who  wrote 
Freedom  of  Information  and  the  Right  to 
Know:  The  Origins  and  Applications  of  the 
Freedom  of  Information  Act.  “If  Pepsi  could, 
they  would  get  Coca-Cola’s  formula  under  the 
Freedom  of  Information  Act.” 

They  can’t,  of  course.  Exemption  4  of  FOIA 
protects  “trade  secrets  and  commercial  or 
financial  information  obtained  from  a  person 
and  privileged  or  confidential.”  Government 
agencies  have  to  warn  a  business  before  releas¬ 
ing  information  identified  as  confidential,  and 
the  business  can  file  a  reverse  lawsuit  to  keep 
the  government  from  releasing  it.  However, 
much  of  the  commercial  data  submitted  to 
the  government  is  not  exempt.  Companies 


48  www  csoonline.com  November  2002 


T  I  M 


1953  Newspaper  editor 
Harold  Cross  publishes  The 
People's  Right  to  Know,  arguing 
that  the  electorate  deserves  to 
know  about  the  workings  of  the 
government.  The  press  would 
be  a  catalyst  for  getting  FOIA 
passed. 

1950s  A  Democrat-led 

Congress  launches  a  series  of 
hearings  to  try  to  get  the  exec¬ 
utive  branch  to  share  more 
information  with  the  legislative 
branch,  in  part  because  the 
Eisenhower  administration 
fired  a  group  of  alleged  Com¬ 
munists  and  refused  to  share 
details  about  who  and  why. 

1961  President  Kennedy 
takes  office,  but  the  legislation 
still  stalls  even  with  a  Democrat 
in  charge. 


1966  President  Johnson 
reluctantly  signs  the  Freedom 
of  Information  Act,  written  by 
Rep.  John  E.  Moss  (D-Calif.), 
but  the  act  has  no  enforcement 
mechanism. 


PHOTOS  BY  CORBIS 


E  L 

1974  In  the  midst  of  the 

Watergate  scandal,  Congress 
overrides  President  Ford's  veto 
and  gives  FOIA  teeth.  The 
amendment  says  that  judges 
must  review  the  claims  of 
denied  FOIA  requesters  rather 
than  dismissing  them  on  the 
basis  of  an  affidavit  filed  by  the 
government  agency. 


1984  Congress  passes  an 
amendment  exempting  certain 
CIA  files  that  would  expose  the 
identity  of  spies. 

1986  Congress  passes  an 
amendment  offering  greater 
protection  of  law  enforcement 
files. 

1987  President  Reagan 
issues  an  executive  order  that  a 
government  agency  must  tell  a 
business  before  releasing 
information  that  is  identified 

as  confidential,  giving  the 
business  a  chance  to  file  a 
reverse  lawsuit  to  keep  the 
information  confidential. 


N  E 


1994  The  Clinton  adminis¬ 
tration  makes  the  National 
Security  Council  an  advisory 
group  to  the  president  instead 
of  a  federal  agency,  exempting 
NSC  records  from  FOIA. 

1996  President  Clinton 

signs  an  amendment  making 
electronic  records  subject  to 
FOIA  requests,  formalizing 
what  the  courts  had  already 
decided. 

2001  Sen.  Bob  Bennett  (R- 
Utah)  and  Sen.  Jon  Kyi  (R-Ariz.) 
submit  a  bill,  the  Critical  Infra¬ 
structure  Information  Security 
Act,  that  would  protect  busi¬ 
nesses  that  voluntarily  share 
information  with  the  govern¬ 
ment. 

2002  The  FOIA  exemption 
for  critical  infrastructure  infor¬ 
mation  gets  added  onto  legisla¬ 
tion  creating  the  Department  of 
Homeland  Defense.  Two  differ¬ 
ent  versions  of  the  exemption 
make  their  way  through  the 
House  of  Representatives  and 
Senate.  At  press  time,  the  legis¬ 
lation  was  stalled,  as  Congress 
turned  its  attention  to  the 
conflict  with  Iraq.  However, 

the  debate  had  shifted  from 
whether  a  new  FOIA  exemption 
should  be  passed  to  exactly 
how  it  should  be  worded. 


routinely  use  FOIA  for  competitive  research  to 
learn  about,  say,  new  drug  applications  filed 
with  the  Food  and  Drug  Administration  or 
the  winning  bid  for  a  NASA  contract. 

That  use  of  FOIA— an  act  that  Supreme 
Court  Justice  Antonin  Scalia  famously  criti¬ 
cized  as  “the  Taj  Mahal  of  the  Doctrine  of 
Unanticipated  Consequences”— has  led  to  new 
concerns  about  corporate  information  sub¬ 
mitted  to  the  government.  Meanwhile,  the 
government  has  been  imploring  companies 
to  share  information  about  attacks  on  the  pri¬ 
vate  networks  that  house  85  percent  of  the 
nation’s  critical  infrastructure. 

All  of  which  brings  us  to  the  current  conun¬ 
drum.  Some  companies  fear  that  existing 
FOIA  exemptions  do  not  protect  information 
about  security  threats  and  vulnerabilities.  This 
kind  of  information,  although  sensitive,  “may 
not  be  a  trade  secret,”  says  Stash  Jarocki, 
chairman  emeritus  and  board  member  of  the 
Financial  Services  Information  Sharing  and 
Analysis  Center  (FS-ISAC),  one  of  several 
industry  groups  formed  to  give  practitioners  a 
place  to  exchange  information  out  of  reach  of 
regulators.  Nonetheless,  last  summer  the  FS- 
ISAC  agreed  to  start  sharing  limited  infor¬ 
mation  with  the  FBI’s  National  Infrastructure 
Protection  Center  (NIPC)  regardless  of  FOIA 
concerns— a  move  that  put  Jarocki  in  a  par¬ 
ticularly  strategic  place  to  argue  for  the  addi¬ 
tional  FOIA  exemption. 

“What  if  I  wanted  to  sit  down  with  the 
NIPC  and  show  them  all  the  diagrams  of  my 
network?  Would  I  do  that  without  [the  new 
FOIA  exemption]?  Hell  no,”  says  Jarocki, 
who’s  also  vice  president  of  Morgan  Stanley’s 
IT  security.  “Would  I  like  to  share  with  them 
single  points  of  attack  or  exposure,  to  find  out 
how  I  could  solve  it  and  maybe  secure  it?  Sure 
I  would.  But  I  can’t  do  that  today  because  the 
bottom  line  is  that  you  can  FOIA  that,”  he 
says,  making  the  act  into  an  action. 

Well,  you  could  try,  but  you  probably 
wouldn’t  get  far.  The  act  itself  may  not  explic¬ 
itly  protect  critical  infrastructure  information, 
but  legal  precedents  do.  Ron  Dick,  director 
of  the  NIPC,  points  to  a  case  involving  the 
Nuclear  Regulatoiy  Commission  and  a  watch¬ 
dog  group,  the  Critical  Mass  Energy  Project. 
In  1984,  Critical  Mass  asked  the  NRC  to  dis¬ 
close  public  safety  reports  submitted  by  the 
Institute  of  Nuclear  Power  Operations,  a  non- 

November  2002  www.csoonline.com  49 


Federal  Legislation 


“The  concern  is  that  we’re  trying  to  cover 
something  like  the  accidental  release  of 
chemicals,  but  that’s  not  what  we’re  talking 
about  at  all.” 


■BOBBY  GILLHAM,  MANAGER  OF  GLOBAL  SECURITY  FOR 

CONOCOPHILLIPS 


profit  group  formed  by  nuclear  plant  owners. 
The  NRC  refused,  and  Critical  Mass  sued.  A 
U.S.  District  Court  in  Washington,  D.C.,  even¬ 
tually  decided  in  favor  of  the  NRC  for  two 
reasons:  The  information  had  been  voluntar¬ 
ily  given  to  the  agency,  and  disclosing  it  would 
make  companies  less  likely  to  volunteer  infor¬ 
mation  in  the  future— the  same  arguments 
that  could  be  used  in  relation  to  critical  infra¬ 
structure  protection. 

But  case  law  isn’t  good  enough,  Dick  says. 
“Despite  this  case  and  others  like  it,  the  private 
sector  wants  straightforward  language— a 
simple  stature  they  understand.” 


HIS  WORK  ON  Y2K  LEGISLATION  FINISHED, 

Sen.  Bob  Bennett  (R-Utah)  had  long  been 
talking  about  the  need  for  legislation  that 
would  encourage  companies  to  share  critical 
infrastructure  information  with  the  govern¬ 
ment.  After  9/11,  he  saw  an  opportunity,  as  the 
public’s  right  to  know  began  to  take  backstage 
to  fighting  terrorism.  On  Sept.  24,  2001,  he 
and  Sen.  Jon  Kyi  (R-Ariz.)  formally  submitted 
S.  1456,  the  Critical  Infrastructure  Informa¬ 
tion  Security  Act  of 2001.  The  bill  would  have 
exempted  voluntarily  submitted  information 
related  to  critical  infrastructure  from  FOIA 
requests,  prevented  the  information  from 
being  used  in  civil  action  and  protected  infor¬ 
mation-sharing  groups  like  the  ISACs  from 
antitrust  laws. 

The  bill  languished  until  a  better  opportu¬ 
nity  came  along.  Rather  than  passing  the  Crit¬ 
ical  Infrastructure  bill  by  itself,  Congress 
opted  to  piggyback  the  FOIA  exemption  onto 
the  massive  piece  of  legislation  creating  the 
Department  of  Homeland  Security.  And  here 
is  where  the  story  veers  into  the  unavoidably 
complicated  terrain  of  how  a  bill  becomes  a 
law.  At  press  time,  two  different  FOIA  exemp¬ 


tions  were  winding  their  way  through  the  leg¬ 
islative  process,  and  lawmakers  were  at  odds 
about  how  to  improve  critical  infrastructure 
protection  without  furthering  the  “doctrine 
of  unanticipated  consequences.” 

In  July,  the  House  of  Representatives 
passed  its  Homeland  Security  Act,  H.R.  5005. 
Section  724  would  protect  voluntarily  submit¬ 
ted  information  about  critical  infrastructure 
protection  from  FOIA  requests  and— more  sig¬ 
nificant— also  prevent  that  information  from 
being  used  in  civil  action. 

Meanwhile,  the  Senate  agreed  on  an 
amendment  to  its  Homeland  Security  Act, 
S.  2452,  that  included  a  narrower,  less  busi¬ 
ness-friendly  version  of  the  FOIA  exemption 
that  would  not  protect  businesses  from  liti¬ 
gation  and  would  apply  only  to  information 
submitted  to  Homeland  Security.  At  press 
time,  the  Senate  legislation  was  stalled  over 
unrelated  issues,  but  if  it  passes  in  November 
or  December,  the  differences  between  the  two 
bills  will  have  to  be  hammered  out  by  a  joint 
conference  committee. 

“The  concern  that  we  see  expressed  is  that 
we’re  trying  to  cover  something  like  the  acci¬ 
dental  release  of  chemicals,”  says  Bobby  R. 
Gillham,  manager  of  global  security  for 
ConocoPhillips  and  a  liaison  between  the  gov¬ 
ernment  and  the  oil  and  natural  gas  industry. 
“That’s  not  what  we’re  talking  about  at  all. 
The  only  exemptions  are  just  in  the  critical 
infrastructure  and  just  in  that  narrow  range  of 
vulnerability,  threats  and  incidents.” 

David  Sobel,  general  counsel  for  the  Elec¬ 
tronic  Privacy  Information  Center,  sees  it  dif¬ 
ferently.  He  says  that  the  FOIA  exemption  is 
a  red  herring,  and  that  the  real  issue  is  the 
possibility  that  voluntarily  submitted  infor¬ 
mation  couldn’t  be  used  in  litigation.  “It’s  all 
about  accountability,”  he  says.  “It’s  about 
whether  security  flaws  will  ever  be  made  pub¬ 
lic  and  whether  the  government  or  other 
interested  parties  would  have  the  ability  to 
seek  corrective  action  against  companies  that 


are  negligently  ignoring  security  concerns.” 

Even  if  the  FOIA  exemption  doesn’t  become 
law  this  year,  the  debate  has  clearly  shifted 
from  whether  the  FOIA  exemption  should 
become  reality  to  exactly  what  form  it  should 
take.  It’s  unlikely  that  President  Bush  would 
fail  to  approve  the  exemption  because  the  Bush 
administration  has  encouraged  agencies  to 
give  requesters  only  the  bare  minimum  of 
required  information.  (In  fact,  author  Foerstel 
believes  that  in  some  ways,  the  manner  in 
which  exemptions  are  written  is  less  important 
than  the  administrative  guidelines  issued  by 
the  attorney  general  on  how  to  treat  FOIA 
requests.  “With  [Attorney  General  John] 
Ashcroft,  his  frame  of  mind  is  basically,  don’t 
give  them  anything,”  Foerstel  says.  “His  guide¬ 
lines  are  very  strong  in  the  direction  of  dis¬ 
couraging  the  release  of  information.”) 

Whatever  final  form  the  exemption  takes, 
there’s  no  way  to  know  if  it  will  actually 
improve  information  sharing  or  just  change 
the  reasons  companies  are  reluctant  to  talk  to 
the  government  about  security.  “We’ve  been 
building  relationships  and  procedures,  so  the 
technical  ability  to  share  information  is  there,” 
says  MassMutual’s  Bonsall,  a  member  of  the 
Partnership  for  Critical  Infrastructure  Secu¬ 
rity,  which  includes  both  federal  agencies  and 
critical  infrastructure  companies.  “We  have 
to  get  beyond  the  apprehension,  and  some 
exemptions  from  FOIA  will  help  with  that.” 

But  will  it  open  the  floodgates?  “Absolutely 
not,”  he  says.  “[Building  trust]  is  an  ongoing 
process.  It  just  doesn’t  start  and  stop.”  ■ 

Senior  Writer  Sarah  D.  Scalet  can  be  reached  at 
sscalet@cxo.com. 


WANT  TO  KNOW  MORE  ABOUT  FOIA? 

Find  links  to  these  government  websites  at 

www.csoonline.com/printlinks.  There,  you  can 
find  the  following  information: 

READ  THE  LEGISLATION  The  Freedom  of 
Information  Act  is  spelled  out  in  the  United 
States  Code,  Title  5,  Section  552. 

FIND  OUT  HOW  FOIA  GETS  USED  The  attor¬ 
ney  general  must  compile  statistics  on  how 
many  requests  are  filled  and  how  quickly. 

LEARN  HOW  TO  USE  IT  The  Department  of 
Justice  provides  a  guide  to  using  FOIA. 

GET  MORE  HELP  For  an  outside  opinion,  con¬ 
sult  the  American  Civil  Liberties  Union’s  step- 
by-step  guide  to  using  FOIA. 


50  www.csoonline.com  November  2002 


•  -'-S-'y  --I',- ''''"V 

f+." 


Why  just  detect  intrusions  when  you  can  prevent  them? 
OKENA  StormWatch  stops  attacks  dead  in  their  tracks. 

Intrusion  Prevention:  Security  Without  Signatures. 


OKENA 


www.OKENA.com 


Hr,  ; 

BfT  3^IprHHBk» 

»i  it  JS££1 

K'.  fc/' 

?  T-  .  -M&f.  J 

1111  ■  *%Fpi 

yjtesL 

r  tifj 

BY  MARY  KATHLEEN  FLYNN 


CSOs  NEED 
TRUSTY  AVENUES 
FOR  NETWORKING 
AND  SHARING 
CONFIDENTIAL 
INFORMATION. 
TODAY  THERE  ARE 
MORE  CHOICES 
THAN  EVER  FOR 
CONNECTING 
WITH  PEERS. 


Outsiders  might  think  of  security  pros  as  silent 

types  whose  greatest  strength  is  the  ability  to 
keep  a  secret.  Insiders  know  different:  Great 
security  requires  great  communication,  and  lots 
of  it.  Today’s  leading  CSOs  are  clamoring  for  safe 
forums  to  share  best  practices,  threat  and  vul¬ 
nerability  reports,  and  tricks  of  the  trade. 

Ron  Baklarz  is  a  good  example.  Baklarz,  chief 
information  security  officer  of  the  American  Red 
Cross  in  Falls  Church,  Va.,  is  a  member  of  several 
formal  information-sharing  groups,  including 
the  FBI’s  InfraGard  program— but  recently 
decided  that  wasn’t  meeting  all  his  information 
needs.  Baklarz  established  the  Chief  Security  Offi¬ 
cer’s  Round  Table  (CSORT)  with  a  handful  of 
other  Washington,  D.C.-area  security  colleagues 
to  foster  more  individual  contact  with  peers  and 
to  help  each  other  identify  specific,  effective  infor¬ 
mation  security  tools. 

While  industry  associations  such  as  the  Infor¬ 
mation  Systems  Security  Association  (ISSA)— 
on  the  logical  side— and  the  American  Society 
for  Industrial  Security  (ASIS)— on  the  physical 
side— have  assisted  in  security  networking  for 
many  years,  a  number  of  new  options  are  open¬ 
ing  up  (or  gaining  renewed  membership)  for 
CSOs  to  connect  with  their  peers  and  with  law 
enforcement  and  public  sector  personnel  in  the 
wake  of  9/11.  Those  groups  fall  into  three  general 
categories:  industry-specific  groups  best  illus¬ 
trated  by  the  Information  Sharing  and  Analysis 
Centers  (ISACs);  law  enforcement  groups  for 
geographical  regions,  including  chapters  of  both 
InfraGard  and  the  Secret  Service  Electronic 
Crimes  Task  Force;  and  private  initiatives  like 


November  2002  www.csoonline.com 


mw' 


isC" 


LW; 


Egftnllji 


Hf 


Stash  Jarocki,  VP  of  IT  security  at 
Morgan  Stanley,  aims  to  help  the 
Financial  Services  ISAC  draw  in  more 
small  businesses. 


Baklarz’s  CSORT  that  bring  together  CSOs 
from  a  local  region.  Each  group  serves  a  dif¬ 
ferent  purpose,  and  for  that  reason  few  CSOs 
say  they’ve  found  a  single  information-sharing 
group  that  meets  all  their  needs.  Following 
are  details  that  can  help  CSOs  choose  which 
group,  or  groups,  may  suit  them  best. 

Information  Sharing  and 
Analysis  Centers 

Dating  back  to  the  pre-Y2K  days  of  the  Clin¬ 
ton  administration  and  supported  by  the  cur¬ 
rent  Bush  administration,  the  Information 
Sharing  and  Analysis  Centers  aim  to  beef  up 
the  security  of  a  given  industry  by  bringing 
together  those  responsible  for  securing  that 
industry— in  other  words  the  security  profes¬ 


sionals  who  work  at  the  companies  within 
that  sector  of  the  economy— and  getting  them 
to  communicate  with  the  government  and 
with  each  other.  Building  an  environment  of 
trust  is  crucial.  A  successful  ISAC  (pro¬ 
nounced  eye-sack )  assures  its  participants 
that  proprietary  competitive  interests  are 
being  protected  while  important  information 
is  shared. 

The  ISAC  movement  is  all  about  securing 
economic  sectors  considered  part  of  the  coun¬ 
try’s  critical  infrastructure,  such  as  financial 
services,  electric  power,  oil  and  gas,  telecom¬ 
munications,  and  transportation.  The  first  and 
most  developed  ISAC  is  the  Financial  Ser¬ 
vices  ISAC,  known  as  FS-ISAC,  which  was 
launched  in  October  1999  and  consists  of  a 


secure  database,  analytic  tools,  and  informa¬ 
tion  gathering  and  distribution  facilities. 

The  FS-ISAC’s  chief  value  lies  in  its  ability 
to  alert  its  membership  to  potential  security 
threats  quickly  and  to  act  as  a  repository  for 
information  specific  to  the  financial  services 
community.  The  June  1999  virus  named 
Worm.Explore.zip  provides  a  classic  example 
of  how  the  FS-ISAC  can  help  CSOs.  Thanks  to 
a  phone  tree,  members  of  the  FS-ISAC  were 
alerted  to  the  virus  a  full  eight  hours  ahead  of 
the  public. 

Much  of  the  information  disseminated  by 
the  FS-ISAC  can  be  obtained  from  other 
sources,  but  putting  it  all  together  would  be  a 
time-consuming  process  for  any  single  com¬ 
pany.  Stash  Jarocki,  chairman  emeritus  and 


CSOs  say  fostering  communication  between  the  public  and 
private  sectors  is  long  overdue. 


54  www.csoonline.com  November  2002 


PHOTO  BY  NICK  VEDROS 


■  A.\ ■'’  ■  ■'  ■  ■  A  :.  fy'd  •.-••;  ,••;'•  vN  '■  S  ‘  ;Av 

Beyond  Anti-virus  Protection  - 


For  ail  your  e-mail  security  challenges 
ss  content  filtering 
n  image  scanning 

■  spam  blocking 

■  archiving 

n  enhanced  virus  protection 
a  encryption 
a  legal  liability 

Protect  Your  Messaging  Platform  Today. 
Be  Prepared  for  Tomorrow. 

securiQ  -  Maximum  E-mail  Security. 


current  board  member  of  the  FS-ISAC  LLC  (a 
company  created  to  manage  the  group’s  oper¬ 
ations),  says  the  FS-ISAC  provides  financial 
services  professionals  with  “one-stop  shop¬ 
ping  for  the  understanding  of  vulnerabilities, 
threats  and  incidents.”  The  FS-ISAC  also  con¬ 
ducts  focused  research  on  topics  identified  by 
polling  the  membership  and  publishes  white 
papers  summarizing  the  research  findings. 

How  FS-ISAC  members  receive  informa¬ 
tion  from  the  group  is  up  to  them.  They  can 
visit  the  group's  website  ( www.fsisac.com ), 
parts  of  which  are  available  to  the  public  and 
parts  of  which  are  for  members  only.  They 
can  be  alerted  to  security  threats  by  pager, 
fax,  e-mail  or  phone.  And  the  group  also  holds 
two  meetings  each  year. 

Information  exchange  goes  both  ways. 
Members  can  choose  to  share  information 
about  security  threats  they  have  experienced 
with  other  members,  and  they  can  do  so  with¬ 
out  worrying  about  giving  away  sensitive  or 
proprietary  company  information.  The  FS- 
ISAC  takes  many  steps  to  protect  its  sources. 
Information  submitted  anonymously  by  an 
FS-ISAC  member  gets  “scrubbed,”  says 
Jarocki  (who  is  also  vice  president  of  IT  secu¬ 
rity  engineering  at  Morgan  Stanley).  “We  take 
any  of  the  identifying  nomenclature  about  a 
client  off,  and  then  the  source  is  protected.” 
Even  with  these  data-scrubbing  safeguards  in 
place,  some  CSOs  express  wariness  about  dis¬ 
closing  sensitive  data  to  any  group  that  does 
share  information  with  federal  agencies;  how¬ 
ever,  that  concern  may  be  allayed  somewhat 
by  recent  legislative  developments.  (See  “Every¬ 
thing  You  Ever  Wanted  to  Know  About  FOIA 
(But  Were  Afraid  to  Ask),”  Page  46.) 

To  help  members  evaluate  ISAC  data,  the 
credibility  of  each  report  is  also  analyzed  by 
staff  members  at  Global  Integrity,  a  division  of 
Predictive  Systems,  before  being  dissemi¬ 
nated.  Security  alerts  are  rated  from  infor¬ 
mational  to  crisis  mode. 

Currently,  the  FS-ISAC  membership  is  con¬ 
fined  to  certified  financial  entities  willing  to 
spring  for  the  $7,000  annual  fee  (for  up  to  five 
members  per  company).  Major  banks,  bro¬ 
kerage  houses  and  insurance  companies  make 
up  the  bulk  of  membership,  but  small  firms, 
banks  and  individuals,  such  as  brokers,  are 
currently  not  represented.  However,  Jarocki 
has  proposed  a  three-tiered  membership  plan 


for  the  FS-ISAC  that  aims  to  remove  cost  as  an 
obstacle  to  participation.  The  lowest  tier 
would  be  a  free  or  inexpensive  membership 
aimed  at  brokers,  traders,  small  banks  and 
other  small  financial  services  companies;  the 
middle  tier  would  be  the  current  type  of  mem¬ 
bership;  and  the  top  tier  would  be  a  service 
tailor-made  for  each  particular  company. 
After  all,  profit  isn’t  the  point.  “Look,  we’re 
all  part  of  the  same  business,”  says  Jarocki. 
“Let’s  help  each  other  out  and  get  everybody 
involved.” 

InfraGard  and  Electronic  Crimes 
Task  Forces 

While  ISACs  are  focused  on  improving  com¬ 
munication  within  a  particular  industry, 
InfraGard  is  all  about  sharing  information 
between  the  public  and  private  sectors— in 
particular  between  the  FBI  and  its  National 
Infrastructure  Protection  Center— on  the  one 
side,  and  businesses,  academic  institutions, 
and  state  and  local  law  enforcement  agencies 
on  the  other. 

Developed  by  the  FBI  Cleveland  in  1996, 
InfraGard  today  is  a  national  effort  involving 
all  56  FBI  field  offices,  plus  16  satellite  offices 
in  larger  cities,  for  a  total  of  72  InfraGard 
chapters.  Membership  recently  topped  5,300 
individuals  and  has  been  growing— even 
before  9/11— at  a  rate  of  about  20  percent 
each  month,  according  to  InfraGard.  (The 
Secret  Service’s  Electronic  Crimes  Task  Force, 
or  ECTF,  meetings  are  in  many  respects  sim¬ 
ilar  to  InfraGard;  the  first  ECTF  was  actually 
established  earlier,  in  1995  in  New  York  City, 
but  other  major  cities  have  just  started  to 
ramp  up.) 

Local  chapters  of  InfraGard  are  formed  by 
private  sector  members  and  an  FBI  field  rep¬ 
resentative.  These  chapters  set  up  their  own 
boards  to  govern  and  share  information 
within  the  membership,  and  each  chapter  is 
also  part  of  the  national  InfraGard.  Each 
chapter  has  an  FBI  field  agent  who  acts  as 
chapter  coordinator— handling  paperwork, 
organizing  meetings,  overseeing  the  local 
board,  conducting  background  checks  on 
members  and  functioning  as  an  intermediary 
for  the  exchange  of  information.  Chapters  typ¬ 
ically  collect  nominal,  voluntary  dues  to  cover 
such  things  as  refreshments  for  the  meetings. 

InfraGard’s  membership  application  is  on 


November  2002 


Call  Toll  Free  -  877  -  GROUP  -  55 

www.group-software.c6m  Vf 


> 

/  ■  .■  ■  H  ■  r  v  - 

•  .  v  ■  'l  •  ’ 

■  .)>!  ■  ■■■'. 

A  .  ■  Mi  ■'  ■■  :  ■ 

'.:,a  m  .  ' 


'  ‘-mm-  jWi'V  aila  a.'  V  m  mm 


TECHNOLOGIES 

'V':';  Uiteiligence  fore-rndtt  ■ 

r  ■  - . 

'fifes w>',wa  w  ■  ••  : 

A  it: : 


Information  Sharing 


www.csoonline.com 


Information  Sharing 


the  group’s  website  ( www.infragard.net ),  and 
membership  is  approved  on  a  case-by-case 
basis.  There  are  two  classes  of  membership: 
regular  and  secure.  Regular  members  can  be 
approved  by  the  chapter  coordinator,  but 
secure  members  must  also  get  clearance  from 
a  unit  chief  at  FBI  headquarters  (as  must  any¬ 
one  who  has  been  arrested  or  convicted  of  a 
crime).  Secure  members  must  sign  a  detailed 
agreement  with  the  FBI,  which  outlines  prom¬ 
ises  on  both  sides  not  to  disclose  proprietary 
or  sensitive  information  or  to  sue  each  other. 

Whereas  ISACs  function  primarily  as  a 
clearinghouse  for  information,  the  main  ben¬ 
efit  of  InfraGard  and  the  Secret  Service  effort 
is  the  chapter  meetings,  which  typically  take 
place  once  a  month  or  once  a  quarter.  In 
InfraGard’s  case,  participation  in  meetings 
can  range  from  40  people  to  hundreds, 
depending  on  the  chapter.  Meetings  usually 
kick  off  with  a  speaker  from  the  FBI  or  local 
law  enforcement,  and  then  continue  with  a 
less  formal  open  forum. 

The  FBI’s  goal  is  clear— InfraGard  provides 
support  for  private  sector  security  but  also 
helps  establish  relationships,  which  make  skit¬ 
tish  CSOs  more  comfortable  reporting  attacks 
and  breaches.  Meetings  offer  CSOs  “the  abil¬ 
ity  to  interface  with  other  security  colleagues 
in  the  area  and  the  ability  to  know  a  name 
and  a  face  at  the  FBI  and  other  law  enforce¬ 
ment  agencies  who  are  at  the  table,”  says 
Supervisory  Special  Agent  Clayt  Lemme,  the 
FBI’s  National  Infrastructure  Protection  Cen¬ 
ter  training  and  operations  unit  chief  who 
supervises  the  national  InfraGard  program. 
“Having  a  name  and  a  face  goes  a  long  way 
toward  building  trust.  If  you  actually  know 
someone  from  the  FBI,  it’s  easier  to  call  up 
and  tell  them  about  something  that’s  hap¬ 
pened  to  you.” 

CSOs  say  it  works.  Fostering  communica¬ 
tion  between  the  public  and  private  sectors  is 
“long  overdue,”  says  John  Pontrelli,  the  global 
security  director  for  Newark,  Del. -based  W.L. 
Gore  &  Associates,  which  makes  the  popular 
GoreTex  fabric.  Although  not  a  member  of 
InfraGard,  Pontrelli  gave  a  presentation  about 
the  public  and  private  sectors  working 
together  at  a  recent  meeting  of  the  newly 
formed  Delaware  chapter.  “What  I’ve  seen 
missing  [in  the  past]  is  the  two-way  interac¬ 
tion  with  the  private  sector,  but  the  govern¬ 


ment  is  really  trying  now,”  he  says.  Pontrelli 
was  pleased  to  see  three  local  FBI  agents  at  the 
meeting  and  impressed  by  a  detailed  90- 
minute  presentation  about  the  state  of 
Delaware’s  homeland  security  strategy. 

Information  at  the  chapter  meetings  is  con¬ 
sidered  confidential.  InfraGard  members 
must  sign  a  nondisclosure  agreement  as  part 
of  the  membership  application  process. 
“When  a  chapter  gets  together  and  you  find 
out  that  people  are  attacking  Company  XYZ 
using  a  certain  methodology,  you’re  learning 


about  another  company’s  proprietary  infor¬ 
mation,”  says  Lemme.  “The  reason  the  other 
company  is  willing  to  discuss  it  is  because 
everybody  else  in  the  room  has  signed  the 
nondisclosure  agreement.” 

Regional  Roundtables 

The  rapid  growth  of  ISACs,  InfraGard  and  the 
Electronic  Crimes  groups  attests  to  their  use¬ 
fulness.  Even  so,  many  CSOs  also  want  less 
formal,  more  interactive  formats.  Carl  Lorenzo, 
CISO  of  Deltanet,  a  dental  insurance  provider 


56  www.csoonline.com  November  2002 


PHOTO  BY  CHRIS  HARTLOVE 


based  in  Rancho  Cordova,  Calif.,  says  he  and 
other  CISOs  who  met  at  ISSA  meetings  do  call 
each  other  from  time  to  time  to  share  strategies 
about  particular  threats,  such  as  the  Nimda 
and  Code  Red  viruses.  But,  he  says,  “there’s 
no  coordinated  effort  to  get  us  together.” 
Lorenzo  would  like  to  see  a  monthly  or 
bimonthly  meeting— in  person  or  by  telecon¬ 
ference— of  all  the  top  CISOs  in  his  region  “to 
discuss  significant  events  that  we  feel  are  crit¬ 
ical  to  homeland  infrastructure  and  security  for 
our  companies.” 

In  both  New  York  City  and  Washington, 
D.C.,  CSOs  have  formed  ad  hoc  discussion 
groups  to  do  just  that. 

In  New  York  City,  a  roundtable  of  security 
professionals  in  the  financial  services  industry 
was  formed  about  eight  years  ago.  Approxi¬ 
mately  20  security  directors  from  several 
major  brokerages  and  large  banks  meet  peri¬ 
odically  to  compare  notes.  There  are  no  mem¬ 
bership  dues  or  specific  membership 
requirements,  and  the  group  has  no  formal 
name.  “We’re  a  group  that  had  been  in  place 
but  whose  time  has  come,”  says  Henry  DeGen- 
este,  vice  president  of  global  security  for  Pru¬ 
dential  Financial  and  one  of  the  original 
roundtable  members.  Since  9/11,  the  New 
York  City  roundtable  has  increased  the  fre¬ 
quency  of  its  meetings  from  once  a  quarter  to 
approximately  once  a  month.  Between  meet¬ 
ings,  the  group  keeps  in  touch  through  an  e- 
mail  tree.  Sept.  11  has  changed  the  nature  of 
what  gets  discussed  at  the  roundtable  meet¬ 
ings.  In  the  past,  the  focus  had  often  been  on 
government  regulations  relating  to  such  issues 
as  money  laundering  and  financial  fraud,  says 
DeGeneste.  Now,  he  says,  “we’re  focusing  on 
almost  a  weekly  basis  on  physical  security  and 
protecting  our  employees  and  allaying  their 
fears.”  Echoing  the  sentiment  of  many  CSOs, 
DeGeneste  says  the  emphasis  has  shifted  from 
information  security  to  a  mix  of  both  physical 
and  information  security. 

Guests  at  the  NYC  meetings  might  include 
members  of  the  New  York  Police  Department, 
Secret  Service,  FBI,  or  Office  of  Homeland 
Security  from  the  state  of  New  York  and  the 
national  office.  The  roundtable  “helps  us  sort 
the  wheat  from  the  chaff,”  says  DeGeneste. 
“We  have  the  chance  to  say,  What  about  this 
story  we  heard?  And  somebody  from  the  pub¬ 
lic  sector  will  say,  No,  it’s  not  true.” 


Because  the  New  York  City  roundtable  has 
existed  for  several  years  and  the  members  all 
know  each  other,  there’s  an  atmosphere  of 
trust.  Most  of  the  roundtable  participants  have 
a  law  enforcement  background  and  are  accus¬ 
tomed  to  confidentiality  and  the  protection 
of  proprietary  information.  “What  we  say  in 
the  room  doesn’t  leave  the  room,”  says  DeGen¬ 
este— a  less  formal  but  still  binding  version  of 
InfraGard’s  nondisclosure  agreement. 

Ron  Baklarz’s  CSORT  group  in  D.C.  is  just 
slightly  more  formal  than  the  NYC  version. 
Approximately  20  members  participate  in  a 
weekly  conference  call.  Topics  on  a  recent  call 
included  regulations  that  might  affect  infor¬ 
mation  security,  virus  mitigations  and  virtual 
private  network  solutions.  Baklarz  has 
invested  his  own  money  in  setting  up  a  web¬ 
site  to  recruit  others  in  the  security  field  and 
plans  a  face-to-face  meeting  later  this  fall. 
Baklarz’s  goals  for  CSORT  ( www.csort.org ) 
are  real  simple.  He  hopes  to  “offer  a  forum 
where  people  can  feel  comfortable  discussing 
their  security  issues  knowing  that  it’s  not 
going  to  go  outside  the  enterprise,  just  having 
somewhere  you  can  ask  for  help  and  get  sup¬ 
port,  a  sort  of  support  group  for  security 
professionals,  and  a  sense  that  we’re  all  friends 
here.” 

CSORT  has  a  particular  focus  on  members 
helping  each  other  evaluate  information  secu¬ 
rity  tools.  Baklarz  says  the  current  climate 
demands  ROI  analyses  of  security  tools  out  of 
a  concern  for  budgets  and  an  increased  need 
for  products  proven  to  really  work.  “Security 
product  costs  are  out  of  hand,”  he  reports,  “so 
our  CIOs  are  coming  back  to  us  and  asking  for 
some  sort  of  analysis  to  justify  why  we  need 
these  tools.  My  rationale  for  CSORT  is  to  build 
up  a  relationship  within  a  group  so  that  we 
can  feel  comfortable  to  say,  I  tried  this  prod¬ 
uct  and  it’s  terrible,  or,  conversely,  This  other 
one  was  great.”  ■ 

Mary  Kathleen  Flynn  Is  a  freelance  writer  based  in  New  York 
City.  Send  your  information-sharing  experiences  to 
csolettersWcxo.com. 


CSOonlme.com  has  more  than  a  dozen  links  to 
security  agencies  and  organizations  in  its 

LEGISLATION  &  POLICY  RESEARCH  CENTER 
Go  to  www.csoonline.com/legislation 


November  2002  www.csoonline.com  57 


Beyond  E-mail  Security  -  iQ.Suite 


35  billion  e-mails  will  be  sent  daily 


Get  ready  with  iQ.Suite  for  all  your 


e-mail  and  business  process  security, 


organization,  and  management 


Protect  Your  Messaging  Platform  Today. 


Be  Prepared  for  Tomorrow. 


iQ.Suite  -  Maximum  E-mail  Security, 


Organization  and  Management 


Source:  International  Data  Corporation 


Call  Toll  Free  -  877  -  GROUP  -  55 

www.group-software.com 


TECHNOLOGIES 


Intelligence  for  e-mail 


Executives  responsible  for 
securing  and  protecting  an  organiza¬ 
tion’s  information  assets  and  infra¬ 
structure  are  constantly  searching  for 
how  to  better  define  their  mission  and 
responsibilities  within  the  enterprise. 
They  need  a  forum  in  which  they  can 
address  their  own  unique  sets  of  busi¬ 
ness-level  challenges  —  and  network 
with  their  peers. 


PERSPECTIVES 


r 


CSO  Perspectives"  meets  that  need  with  an  educational 
and  networking  conference  for  chief  security  officers  (CSOs) 
and  senior  technology  decision-makers  (CIOs).  At  CSO 
Perspectives,  you’ll  gain  first-hand  knowledge  from  industry 
experts  and  your  peers  that  can  enhance  your  organization’s 
security  strategy. 


You’ll  have  the  opportunity  to: 


Exchange  best  practices  in  balancing  risk  and  responsibility 

Learn  from  your  peers  what  works  in  the  real  world 

Explore  creating  a  culture  of  security 

Understand  the  current  thinking  on  key  issues  and  trends 

Uncover  the  hidden  threats  of  legal  liability 

Examine  emerging  technologies  that  will  impact  your  enterprise 


For  more  information,  visit  us  at  www.csoperspectives.com  or  call  1-800-355-0246 


Technologies,  Tools 
and  Tactics 

Edited  by  Derek  Slater 


Antivirus: 

Great  Business,  Lost  Cause 


Signature-based  scanning  software  ultimately  can’t  keep  up  with  the  high-speed 
proliferation  of  viruses  and  worms  By  Simson  Garfinkel 


ERE’S  A  PARADOX: 
The  business  of  antivirus  software  has  never 
been  better.  And  yet  the  long-term  prognosis 
in  the  antivirus  battle  has  never  been  more 
bleak. 

This  fall,  the  “National  Strategy  to  Secure 
Cyberspace”  stated  that  all  home  and  business 
users  need  to  install  antivirus  software  on 
their  computers  and  update  their  systems  on 
a  regular  basis.  Most  CSOs  and  CIOs— dare 
we  say  all  of  them?— by  now  realize  that  it  is 
irresponsible  to  deploy  computers  without 
antivirus  protection.  Nevertheless,  the  war 
against  computer  viruses  and  their  authors  is 
stumbling.  Tens  of  thousands  of  computer 
viruses  are  in  circulation.  Symantec’s  Security 
Response  website  reported  81  viruses  discov¬ 
ered  during  a  30-day  period  this  fall.  Acade¬ 
mics  who  follow  viruses  say  that  that  figure 
understates  the  threat.  “Currently  we  are  see¬ 
ing  new  computer  viruses  and  worms,  tar¬ 
geted  at  [Microsoft  Windows],  reported 
approximately  once  every  75  to  90  minutes, 
on  average,”  wrote  Gene  Spafford,  computer 
science  professor  and  director  of  Purdue  Uni¬ 
versity’s  Education  and  Research  in  Infor¬ 
mation  Assurance  and  Security,  in  the  2003 
AAAS  Science  and  Technology  Yearbook. 
There’s  a  key  bit  of  information  in  Spafford’s 
line— the  bit  about  Windows.  Now  this  is  not 
an  anti-Microsoft  rant;  all  operating  systems 
have  displayed  vulnerabilities  over  the  years. 


But  the  reliance  throughout  corporate  Amer¬ 
ica  on  a  single  OS  means  all  of  our  eggs  are  in 
one  basket.  There’s  a  solid  argument  to  make 
that  in  the  long  run,  all  the  antivirus  add-ons 
in  the  world  won’t  stem  the  tide  of  viruses 


and  worms.  Diversity  is  going  to  be  a  neces¬ 
sary  element  of  successful  antivirus  defense. 

So  Far,  So  Lucky 

In  the  United  States,  the  worms  that  have 


ILLUSTRATION  BY  ANASTASIA  VASILAKIS 


November  2002  www.csoonline.com  59 


been  the  most  successful  at  propagating 
have  inflicted  comparatively  little  dam¬ 
age  on  their  inflicted  hosts.  The  Melissa, 
I  Love  You,  Nimda  and  Code  Red  worms 
infected  tens  of  millions  of  machines  in  a 
day  and  cost  corporate  America  more 
than  a  billion  dollars  in  “lost  productivity” 
(although  it’s  unproven  that  being  with¬ 
out  your  e-mail  for  a  day  really  consti¬ 
tutes  lost  productivity).  Aside  from 
sending  out  a  lot  of  e-mail  and  clogging 
servers,  though,  those  worms  didn’t  fun¬ 
damentally  damage  the  computers  that 
were  infected. 

Compare  that  with  what  happened  to 
Korea  on  April  26, 1999,  when  more  than 
1  million  computers  had  their  hard  drives 
wiped  and  their  system  BIOS  erased  by 
the  CIH/Chernobyl  virus.  In  many  cases, 
damaged  systems  required  new  BIOS 
chips  or  motherboards.  Total  losses  were 
pegged  at  $250  million  in  hard  dollars. 

CIH/Chernobyl  is  no  match  for  today’s 
signature-based  antivirus  systems.  The 
typical  virus  scanner  has  a  database  of 
signatures— unique  byte  strings— for 
roughly  50,000  viruses.  On  a  properly 
protected  computer,  executables  infected 
with  a  familiar  signature  such  as  Cher¬ 


nobyl’s  simply  can’t  run.  Signature-based 
antivirus  software  is  also  slowly  making 
its  way  from  the  desktop  to  the  network, 
adding  another  layer  of  security. 

But  there  is  a  serious  failing  with  sig¬ 
nature-based  systems  that  few  people  in 
the  antivirus  community  admit.  Antivirus 
scanners  do  nothing  to  protect  against 
the  most  serious  virus  threat  today:  new 
viruses.  By  definition,  a  new  virus  won’t 
be  in  any  existing  database  of  viral  sig¬ 
natures.  Back  when  the  Melissa  and  I 
Love  You  worms  hit,  the  only  way  that 
businesses  could  protect  themselves  was 
to  update  their  antivirus  systems.  At 
times  this  meant  updating  every  day— 
or  even  every  hour— as  new'  variants  of 
these  viruses  hit  the  network. 


The  Monoculture  Problem 

Unfortunately,  even  this  won’t  be  good 
enough  in  the  near  future.  A  paper  that 
was  presented  at  this  year’s  Usenix  Secu¬ 
rity  Symposium  convincingly  showed 
several  strategies  for  infecting  between 
1  million  and  10  million  Internet  hosts  in 
15  minutes  or  less.  The  paper  is  titled 
“How  to  Own  the  Internet  in  Your  Spare 
Time,”  by  Stuart  Stamford  at  Silicon 
Defense,  Vern  Paxson  at  ICSI  Center  for 
Internet  Research  and  Nicholas  Weaver 
at  UC  Berkeley.  The  authors’  findings  are 
based  on  results  they  discovered  with  an 
Internet  simulator  that  they  created  for 
this  purpose.  (The  full  text  of  the  paper 
can  be  found  at  www.cs.berkeley.edu/ 
~  nweaver/ cdc.  iveb. ) 

There  are  several  workable  infection 
strategies,  it  turns  out.  One  is  to  scan  in 
advance  for  vulnerable  machines  that  are 
connected  to  high-bandwidth  networks. 
Another  approach  is  to  divide  up  the 
Internet’s  address  space  in  an  intelligent 
manner  so  that  each  copy  of  the  worm 
has  the  maximum  chance  of  infecting  a 
virgin  machine.  Staniford  and  company 
call  such  worms  Warhol  and  Flash.  It  is 
impossible  to  protect  against  those  worms 


with  signature-based  antivirus  systems: 
Before  a  worm  could  be  analyzed  and  a 
signature  distributed,  the  damage  would 
already  be  done. 

If  someone  creates  a  worm  that  com¬ 
bines  the  infection  strategy  outlined  in 
the  Staniford  paper  with  a  Chernobyl- 
style  payload,  we  are  looking  at  a  lot  more 
damage  than  a  few  days  of  lost  produc¬ 
tivity.  MSN,  HotMail,  eBay  and  tens  of 
thousands  of  small  and  midsize  busi¬ 
nesses  would  all  be  shut  down,  and  bring¬ 
ing  those  companies  back  up  might 
require  getting  new  hardware,  restoring 
systems  from  backup  tapes  (assuming 
that  backups  exist)  and  finally,  patching 
the  security  flaws.  Such  repairs  could  take 
weeks;  many  companies  would  fail. 


Managed 

Services 

Security  outsourcing  is  on  the  rise.  In-Stat/MDR 
research  group  says  the  managed-security  services 
market  will  hit  nearly  $5  billion  by  the  year  2006. 
Currently,  consulting  makes  up  the  biggest  slice  of 
the  outsourcing  pie— but  that’s  changing.  Managed- 
security  monitoring  is  a  fast-growing  segment  that 
will  surpass  consulting  services  during  the  next  few 
years,  according  to  In-Stat  analyst  Jaclynn  Bumback. 
Outsourcing  not  only  embraces  mainstream  security 
functions  but  some  very  specialized  niches  as  well, 
as  you’ll  see  below. 

Breach  Notification 

Catbird  Networks  offers  external  website  security 
monitoring— checking  a  website  continuously  (43,000 
times  per  month)  to  test  for  security  breaches,  includ¬ 
ing  defacement,  hijacking  and  identity  theft.  The  twist 
is  that  unlike  most  monitoring  services,  Catbird  works 
outside  the  corporate  firewall,  providing  what  the 
company  describes  as  an  “external  layer  of  security." 
An  example  of  how  this  can  pay  off:  According  to 
Catbird,  in  some  cases,  Web  traffic  can  be  diverted 
without  penetrating  the  firewall,  which  means  conven¬ 
tional  protection  from  intrusion  detection  systems 
won’t  sound  any  alarm. 

The  service  also  monitors  online  transactions 
and  website  performance.  The  company  is  aiming 
particularly  at  customers  in  regulated  industries, 
citing  as  a  customer  case  study  The  Marion  Bank  in 
Marion,  Ohio,  which  implemented  the  Catbird  service 
to  help  pass  muster  in  an  FDIC  audit.  -Kathleen  Carr 

Vulnerability 

Assessment 

Of  course,  it  makes  more  sense  to  prevent  hacker 
attacks,  if  possible,  than  to  clean  up  after  them,  says 
Charles  Kolodgy,  analyst  at  IDC  (a  sister  company  to 
CSO's  publisher). 

That’s  Caleb  Sima’s  reasoning  as  well.  And  Sima- 
like  so  many  security  vendors— isn’t  afraid  to  flirt  with 
hyperbole:  He’s  ”99  percent  certain”  he  can  break 
into  your  website,  armed  with  nothing  more  than  your 
URL  and  his  company’s  software.  Sima  is  founder  and 
CTO  of  SPI  Dynamics,  a  new  player  in  the  Web  appli¬ 
cation  vulnerability  market  (where  KaVaDo  and  Sanc¬ 
tum  are  the  current  market  leaders,  according  to  Giga 
Information  Group  security  analyst  Michael  Ras¬ 
mussen).  Sima’s  Weblnspect  software  synchronizes 
with  a  central  database  of  hack  techniques  (which  is 
continually  updated  by  SPI  Dynamics)  and  scans  the 


Diversity  is  going  to  be  a  necessary 
element  of  successful  antivirus  defense. 


60  www.csoonline.com  November  2002 


Internet 


Why  should  you  look 
at  a  secure  managed 
hosting  solution? 

A  recent  FBI  survey  showed  that 
90%  of  respondents  reported  security 
breaches  during  the  past  twelve 
months.  The  cost  to  American 
business  exceeded  $260  billion  a  year. 

ServerVault  is  the  number  one 
secure  managed  hosting  company 
in  the  world.  Our  systems  were 
constructed  by  the  people  who 
advised  the  Pentagon  on  network 


security.  Our  facilities  meet  Department 
of  Defense  SC  IF  standards  and  we’re 
the  only  ones  who  can  say  that. 

We  provide  custom 
solutions  backed  by 
unbeatable  customer 
service: 

♦  Secured  Managed  Hosting 

♦  Disaster  Recovery  and  Backup 

♦  Connecting  Closed-User 

Communities 

♦  Storage  Solutions 

♦  Secure  Email  Solutions 


Check  Mate! 

Contact  us,  to  win  the  game,  at 
1 -877-78-VAULT  or  visit  our  website 
at  www.servervault.com 


server  ^ 

vaulty 


PLAN  YOLK  NEXT  MOVE! 

ServerVault  is  a  wholly-owned  affiliate  of  Western 
&  Southern  Financial  Group 


Machine  Shop 

■ 


Researchers  are  trying  to  build 
an  “immune  system”  to  attack 
any  program  tnat  seems  to  be  acting 
in  a  suspicious  manner. 


user's  website  for  vulnerabilities. 

Sima  says  he  has  worked  with  government 
agencies  and  others  to  share  his  Web  monitoring 
product.  Paying  customers  are  offered  a  demo, 
after  which  they  can  decide  whether  to  spring  for  the 
whole  contract,  which  typically  costs  around 
$20,000  annually.  -K.C. 


Nevertheless,  it’s  important  to  realize 
that  a  Warhol  or  Flash  worm  would 
almost  necessarily  be  selective:  such  a 
worm  would  probably  exploit  just  one  or 
two  vulnerabilities  known  to  the  authors— 
vulnerabilities  that  were  not  widely 
known,  or  at  least  not  widely  patched.  The 
biggest  bang  for  the  worm  author,  obvi¬ 
ously,  is  going  to  come  from  targeting  the 
single  largest  platform:  Microsoft  Win¬ 
dows  systems  running  on  Intel-based 
architectures. 

I’m  not  arguing  that  Windows  is  a  fun¬ 
damentally  less  secure  OS  than  Unix— 
that’s  beside  the  point.  All  systems  have 
had  significant  security  problems.  Even 
OpenBSD,  which  boasts  just  a  single 
remote  vulnerability  in  the  past  six  years, 
was  susceptible  to  a  flaw  discovered  this 
fall  in  the  OpenSSL  library  package.  But 
because  of  architectural  differences,  every 
Unix  computer  with  the  OpenSSL  library 
would  have  had  a  slightly  different  ex¬ 
ploit.  Windows  systems,  on  the  other 
hand,  frequently  have  common  exploits. 
Those  computers  can  rightly  be  thought 
of  as  a  monoculture  crop— with  all  the 
strengths  and  weaknesses  that  a  mono¬ 
culture  implies. 

Much  of  American  agribusiness  has 
adopted  monoculture  farming  in  recent 
years:  crops  that  are  genetically  identical, 
have  less  variation,  simplified  growing 
procedures  and,  as  a  result,  generally 
increased  profits— even  though  the  seeds 
usually  cost  more.  American  business 
and  government,  likewise,  is  standard¬ 
izing  on  the  Microsoft  monoculture  to 
decrease  training  and  deployment  costs— 
even  though  the  software  itself  costs 
more.  But  just  as  a  single  virus  or  fungus 
can  wipe  out  an  entire  field  of  genetically 
identical  organisms,  so  too  can  a  single 
computer  virus  wipe  out  a  network  of 
identically  configured  Windows  servers. 


Palladium:  Nice  Try 

Microsoft’s  Palladium  initiative  might  be 
an  approach  to  solving  the  monoculture 
problem:  In  theory,  if  computers  are  gim- 
micked  so  that  they  will  run  only  crypto¬ 
graphically  signed  programs,  then  viruses 
won’t  run  because  they  won’t  be  signed. 
I  personally  don’t  believe  that  computer 
users  will  put  up  with  such  a  system,  but 
even  if  they  did,  Palladium  will  not  put  an 
end  to  viruses  unless  every  signed  pro¬ 
gram  is  itself  bug-free.  Otherwise,  a 
clever  hacker  will  always  be  able  to 
booby-trap  the  signed  code  with  a  data- 
driven  attack.  This  isn’t  just  theory.  There 
have  already  been  several  examples  of 
bugs  in  digitally  signed  ActiveX  applets 
that  could  be  used  to  propagate  viruses 
and  other  nasty  programs. 

Other  researchers  are  trying  to  build  an 
“immune  system”  to  protect  modem  oper¬ 
ating  systems  against  viruses— such  a  sys¬ 
tem  would  monitor  a  computer’s  health 
and  attack  any  program  that  seems  to  be 
acting  in  a  suspicious  manner.  But  just  as 
our  own  immune  system  is  susceptible  to 
viruses  such  as  AIDS,  a  monoculture 
immune  system  would  necessarily  have 
its  own  Achilles’  heel.  Hackers  would  find 
it  and  exploit  it. 

The  best  approach,  to  borrow  nature’s 
own  solution,  is  to  stop  deploying  a 
monoculture  crop  on  our  desktops  and 
servers.  Businesses  and  government 
should  not  standardize  on  a  single  OS; 
instead,  they  should  adopt  a  dual-source 
or  multisource  approach— deploy  both 
Windows  and  Unix. 

Alas,  that  approach  is  clearly  more 
expensive  in  the  short  run,  but  in  the  long 
run  it  is  dramatically  more  secure.  ■ 

Simson  Garfinkel,  CISSP,  is  a  Boston-based  technol¬ 
ogy  writer,  and  he  is  also  the  CTO  of  Sandstorm 
Enterprises. 


Wiretapping 

On  to  the  specialized  niche  example:  VeriSign  now 
offers  telecom  companies  an  outsourced  wiretapping 
service. 

VeriSign  suggests  that  by  using  its  new  product 
NetDiscovery,  small  cellular  companies  can  easily 
comply  with  new  federal  wiretapping  regulations  and 
save  money.  Complying  with  the  Communications 
Assistance  for  Law  Enforcement  Act  means  cellular 
communications  companies  must  have  wiretapping 
abilities  and  be  able  to  retrieve  specific  conversa¬ 
tions,  a  capability  most  companies  do  not  currently 
have.  For  small  companies  that  could  mean  expensive 
systems  upgrades,  new  equipment  and  staff  to  run 
that  new  equipment.  Companies  that  do  not  comply 
face  $10,000-a-day  fines  for  every  court-ordered 
wiretap  request  they  cannot  fulfill. 

VeriSign’s  service  automates  the  entire  process- 
managing  call  content,  intercepting  calls  specified  by 
law  enforcement,  converting  call  content  and  call  data 
into  a  required  legal  standard  format,  and  delivering 
that  content  directly  to  law  enforcement  monitoring 
facilities  via  highly  secure  IP-VPN  technologies. 

Need  we  mention  that  privacy  advocates  are  not 
excited? 

Some  privacy  groups  have  expressed  concern 
with  the  fact  that  three  separate  entities-various  law 
enforcement  agencies,  the  original  telecom  company 
and  now  VeriSign— will  now  be  listening  to  those  con¬ 
fidential  conversations.  But  as  of  October,  VeriSign’s 
NetDiscovery  clients  already  included  major  wireless 
carriers  in  California,  Illinois  and  Montana. 

-Julie  Hanson 


62  www.csoonline.com  November  2002 


CIO  Magazine's  Eleventh  Annual 


Enter  prise  Value 
Retreat  &  Awards 


MARRIOTT  DESERT  SPRINGS 
PALM  DESERT,  CA 


Meet— and  learn  from— this  year’s 
award  winners 

Only  a  few  organizations  make  the  grade  each 
year.  CIO  Magazine’s  Enterprise  Value  Awards  are 
the  most  prestigious  in  the  IT  industry.  Each 
winning  company  shares  the  good,  the  bad— and 
the  just  plain  ugly— on  how  they  built  an  award¬ 
winning  system,  and  what  value  it  brought  to  its 
users  and  to  the  enterprise. 


The  Magazine  for  Information  Executives 


New  Format!  New  Agenda! 
New  Moderator! 


PETER  WEILL 

Director,  Center  for 
Information  Systems 
Research,  MIT  Sloan 
School  of  Management 


Roll  up  your  sleeves  with  an  all-new 
business/IT  case  study: 

Meet  in  small  groups  to  discuss  the  case  in- 
depth,  and  present  your  findings  and 
recommendations. 


Explore  new  ideas  from  thought- 
provoking  speakers: 

We’ll  bring  you  speakers  who  make  you 
think  beyond  the  boundaries  of  your  day-to- 
day  challenges. 

Relax  with  your  peers: 

Network  at  the  CIO  Golf  Tournament  and 
Super  Bowl  XXXVII  Party 


Put  it  on  your  calendar  now! 

Call  us  at  800  355-0246  or  visit 
www.cio.com/conferences. 


A  World  of  Difference 

Moving  from  mainframes  to  network  security?  It'll  take 
more  than  a  new  coat  of  paint.  By  Anonymous 


attack  our  site?  We  don’t  kill  whales,  we  don’t  discriminate, 
and  we  aren’t  politically  extravagant.  Actually,  we’re  pretty 
boring,  as  companies  go.  So  why  would  someone  want  to 
clog  up  access  to  our  website?  It  doesn’t  make  sense. 

I  was  obviously  out  of  my  league  with  this  one,  so  I 
called  a  friend  who  is  the  CSO  at  a  large  telco.  He’s  one 
of  those  guys  who  remains  true  to  his  technical  roots,  so 
I  figured  if  anyone  would  know  what  to  do,  he  would. 

“Most  DoS  attacks  don’t  last  longer  than  20  to  40  min¬ 
utes,”  he  tells  me.  “If  it  goes  on  longer  than  that,  you’ll 
need  to  get  your  network  connection  vendor  to  block 
traffic  as  best  you  can.” 


DON’T  KNOW  WHY  IT’S  SO  SLOW,”  my  systems  manager  told  me.  “It’s 
not  because  of  the  system  load.  There’s  barely  anything  running  right  now.” 

“What  does  the  network  traffic  level  look  like?”  I  asked. 

“Nothing  on  the  LAN  that  I  can  see,”  he  replied. 

“See  if  you  can  log  in  via  the  Internet  connection,”  I  said.  “Maybe  we’re  having 
problems  with  the  connection  or  something.” 

He  dialed  into  his  ISP  and  tried  to  get  a  browser  to  connect  to  our  homepage. 
The  domain  name  system  found  it.  Then— nothing.  Just  sat  there  until  it  timed  out. 

“So,  what  is  it?”  I  asked. 

“I  dunno,”  he  answered.  “I’ll  check  the  firewall  to  make  sure  it’s  up  and  running.” 

Well,  it  was  running— but  real  slow.  I  mean  R-E-A-L  S-L-O-W.  The  systems 
administrator  put  a  protocol  analyzer  on  the  Internet  side  of  the  connection  and 
found  it  was  completely  overloaded  with  traffic. 

“Well,  we’re  either  very  popular  today  or  someone  is  trying  to  DoS  us,”  he  said. 


DoS  us?  Huh?  Apparently,  DoS  is  short  for  denial  of  service.  It’s  a  type  of  network 
attack  that  hackers  and  script  kiddies  launch  from  time  to  time.  It’s  like  when  your 
grandson  clogs  the  toilet  with  a  roll  of  toilet  paper.  The  toilet  is  full,  and  you  are 
denied  service  until  it  is  unclogged.  The  solution  is  to  get  rid  of  the  attack.  But  all 
the  source  addresses  for  the  attacking  packets  change  on  every  arriving  packet,  so 
there’s  no  way  to  know  who  was  actually  sending  the  traffic  as  all  the  source 
addresses  were  bogus  (or  “spoofed,”  as  it  was  explained  to  me). 

I  know  I  should  know  all  of 
this.  I  used  to  be  a  mainframe 
guy  and  worked  with  the  big 
boxes  for  all  our  credit  card 
processing.  I  also  ran  the 
mainframe  security  tools  and 
facilities,  so  I  thought  I  under¬ 
stood  security  issues.  So  far, 

I’d  been  holding  my  own.  I 
know  how  to  write  security 
policies;  I’ve  gotten  the  budget 
sorted  out.  But  I  suddenly 
found  myself  in  hot  water.  I 
had  no  clue  about  how  to  deal 
with  an  Internet  attack. 

Security  used  to  be  struc¬ 
tured,  orderly,  purposeful. 

This  Internet  security  stuff, 
however,  is  illogical.  Why 


As  best  you  can?  Geez.  What  kind  of  answer  is  that?  Some¬ 
times,  he  says,  you  can  contact  the  network  vendor  that  owns 
the  connection  to  the  offending  source  and  have  them  filter 
against  your  site’s  address  to  kill  the  traffic.  But  that  can  take 
a  lot  of  time.  Sometimes,  you  just  give  the  system  address 
being  attacked  a  new  IP  address  and  “null  route”  the  traffic 
to  the  old  address,  he  explains.  But  sometimes,  browsers 
can’t  find  your  site  for  a  couple  of  days.... 

I  ask  him  how  we  find  the  person  doing  this,  and  he 
laughs.  Most  are  never  found,  he  says.  If  they  are,  they’re 
usually  tracked  down  by  professionals.  We  were  probably 
a  practice  attack  for  some  hacker,  he  surmises.  You  don’t 
have  to  have  a  reason  to  be  attacked,  he  adds.  You’re  just 
a  good  practice  site. 

I  suppose  hackers  need  practice  too.  I  just  wish  they 
would  put  up  their  own  practice  site  and  leave  mine  alone. 

The  attack  eventually  went  away  as  predicted.  I’ve 
spent  time  looking  into  denial-of-service  attacks  since 
then  and  have  been  appalled  to  see  that  the  number  is 
increasing  drastically— from  a  few  a  month  in  1998  to 
more  than  5,000  a  month  now.  It’s  obvious  that  this 

won’t  be  my  last  attack. 

The  biggest  eye-opener  was  my 
total  lack  of  understanding  of  the 
Internet  security  issues  for  which 
I  am  responsible:  DoS  attacks, 
DDoS  attacks,  website  deface¬ 
ments,  hacker  “gangs,”  practice 
sites,  server  vulnerabilities,  SYN 
attacks,  user  extortion,  e-mail 
scams.  The  list  goes  on  and  on. 

It’s  clear.  I  have  a  great  deal  to 
learn  about  security  even  though 
I’ve  been  in  the  technical  security 
business  a  long  time.  I  guess  I’m 
not  in  Kansas  anymore.  ■ 


This  column  is  written  anonymously  by  a  real 
CSO  at  a  major  corporation.  For  reader  feed¬ 
back,  e-mail  us  at  csoundercover  Pcxo.com. 


64  www.csoonline.com  November  2002 


ILLUSTRATION  BY  ANTHONY  VENTURA 


invites  you  to 

Celebrate  Ceorgia’ 
Information 
Security  Pioneers 


Information  Security  Executive  of 
the  Year  in  Georgia™  Award 
honors  the  achievements  of  today’s 
information  security  pioneers  and 
recognizes  excellence  in  managing 
enterprise-wide  network  and  Inter¬ 
net  security  systems.  Join  us  at 
Atlanta’s  historic  Fox  Theatre  on 
March  19,  2003,  when  we  celebrate 
these  forward-thinking  individuals. 


gigabyte  sponsor 

ST0NES0FT 


megabyte  sponsor 


Call  for  Nominations 
Nominate  your  Chief  Security 
Officer,  or  executive  in  an  equiva¬ 
lent  position,  for  the  Information 
Security  Executive  of  the  Year  in 
Georgia  for  2003.  Nomination 
forms  are  currently  available  online 
at  www.infosecaward.com. 

Call  for  Sponsors 
Only  a  few  sponsorship  packages 
remainl  Take  this  opportunity  to 
participate  in  this  premier  event  for 
Georgia’s  most  innovative  informa¬ 
tion  security  professionals.  Visit 
www.infosecaward.com  for  updated 
sponsorship  package  information. 


Keynote  Speaker  : 


Richard  Marshall 
Principal  Deputy  Director, 
Critical  Infrastructure 
Assurance  Office  (Cl AO) 


Lancope 

flpl 

# 

PEOPLE 

NETWORK  INC 


media  sponsor 


THE  RESOURCE  FOR  SECURITY  EXECUTIVES 


CSOonllrH.com 


THE  RESOURCE  FOR  SECURITY  EXECUTIVES 


Sales  and  Services 

CSO  Safes  Offices 

President  Walter  Manninen  •  508  935-4101 
Group  Publisher 
Gary  J.  Beach  •  508  935-4202 
Publisher  Bob  Bragdon  •  508  935-4443 
Executive  VP  Sales/Custom  Publishing 
Ellen  Romanow  •  508  935-4796 

East  Coast 

Senior  VP  Sales/East 
Michael  J.  Masters  •  973  244-4040 
Eastern  Regional  Sales  Manager 
Paul  Reiss  •  508  935-4163 
Senior  Regional  Manager 
Kathy  Powers  •  973  244-4041 
Regional  Sales  Manager 
Ellie  Schwab  •  973  244-4042 
Account  Executives 
Joan  Bonadeo  •  973  244-4043 
Gale  Tedeschi  •  973  244-4031 
Advertising  Sales  Associates 
Rhonda  Goodman  •  973  244-4033 
Sharon  Patrick  •  973  244-4044 

New  England 

Senior  Regional  Manager/Advertising  Sales 
Len  Ganz  •  508  935-4039 
Account  Executive  Kim  Forrest  • 

508  935-4068 

Senior  Advertising  Sales  Associate 
Dawn  Cora  •  508  935-4092, 

Fax  508  879-6063 

Mid-Atlantic 

Senior  Regional  Manager/Advertising  Sales 

Louise  Cupelli  •  215  627-8114 

Account  Executive 

Maureen  Welsh  •  215  627-8114 

Advertising  Sales  Associate 

Meredith  Hagan  •  215  627-8114 

Midwest 

Regional  Director 
Robert  E.  Sawdon  •  512  306-9801 
Regional  Sales  Manager 
Christopher  Nolan  •  847  441-5005 
District  Sales  Manager 
Beth  Carlson  •  847  441-3140 
Senior  Advertising  Sales  Associate 
Brenda  Garza  •  512  306-9801, 

Fax  512  306-9805 
Advertising  Sales  Associate 
Kim  Giovanni  •  847  441-5005 

West  Coast 
VP  Sales/West 

Cheri  McKeithan  •  415  975-2685 

Senior  Regional  Manager/Advertising  Sales 

Jane  Evans  •  415  975-2680 

Regional  Manager/ Advertising  Sales 

Ai  Collins  •  415  975-2686 

Account  Executives 

Derek  Jung  •  415  975-2683 

Tom  Ocampo  •  415  975-2693 

Southern  California 

Regional  Sales  Manager  Chris  Bramel  • 

949  475-5579 

Account  Executive  Isaac  Ugay  • 

949  475-5579,  Fax  949  475-5583 

List  Services 

List  Services  Director 

Kathryn  A.W.  Marston  •  508  935-4072 

List  Services  Account  Executive 

Stephanie  Roy  •  508  935-4151 

List  Services  Coordinator 

Kim  Cormican  •  508  935-4152 

Online  Services 

VP/Online  Sales 

Lisa  Brown  •  508  935-4470 

Online  Sales  Mgr. 

Michael  McPhee  •  508  935-4611 


Custom  Publishing 

Group  Director  Michael  Siggins 
Director  Mary  Gregory 
Director  of  Content  Development  Tom  Field 
Project  Manager  Amy  Greenleaf 
Graphic  Designer  Chris  Brown 

Production 

VP/Manufacturing  Chris  Cuoco 
Production  Manager  Lee  Tuttle 
Ad  Production  Coordinator  Lisa  Stevenson 

Executive  Programs 

Senior  Vice  President  Ronald  L.  Milton 
VP,  Conference  Management  Cynthia  Mollus 
Director,  Marketing  Services 
Shellie  Rapson  James 
Director  of  Sales  John  Amato 
Manager,  Program  Operations  Brian  Fuce 
Manager,  Procurement/Tech.  Planning 
Cynthia  Laird 

Event  Development  Specialist 
Sandra  J,  Hughey 
Program  Applications  Specialist 
Heather  Beauton  (Senior) 

Operations  Coordinator  Michael  Barbato 
Fulfillment  Services  Coordinator 
Andrea  Slobogan 

Manager,  Event  Planning  AmyTurell 

Marketing 

Executive  VP/Marketing 

Cathy  O'Leary  Hayes 

VP/News  and  Information  Susan  Watson 
Media  Relations  Manager  Karen  Fogerty 
News  and  Information  Assistant 

Lori  Piscatelli 

Marketing  Research  Director 
Bridget  Cammarata 
Marketing  Research  Manager 
Carolyn  Johnson 
Sr.  Marketing  Research  Analyst 
Dylan  DiGregorio 

Marketing  Comm.  Director  Sue  Yanovitch 
Sr.  MarCom  Development  Specialist 
Kari  Curto 

Marketing  Comm.  Coordinator 
Sarah  Crowley 

Circulation 

Senior  VP/Circulation  Carol  A.  Spach 
Circulation  Promotion  Manager 
Faith  Marcello 

Circulation  Fulfillment  Manager 

Valerie  Szymanski 

Subscription  Svcs.  Supervisor  Tina  Pescaro 
Circulation  Fulfillment  Assistant 
Diana  Turco 

Reprint  Services 

For  article  reprints,  please  contact  Reprint 
Services  at  651  582-3800  or  e-mail 
csoreprints@rephntservices.com. 

For  further  sales  information,  visit 
www.csoonline.com/marketing/sales.htmi. 


CSO  Contact 
Information 

Editorial,  Advertising  and  Business  Offices 

492  Old  Connecticut  Path.  P.O.  Box  9208, 
Framingham,  MA  01701-9208,  508  872- 
0080. 

Postal  Information 

CSO  (ISSN  1540-904x)  is  published 
monthly  by  CXO  Media  Inc..  492  Old  Con¬ 
necticut  Path,  P.O.  Box  9208.  Framingham, 
MA  01701-9208.  Canadian  Publications  Mail 
agreement  number  1902075.  CANADIAN 
POSTMASTER:  Please  return  undeliverable 
copy  to  P.O.  Box  1632,  Windsor,  ON 
N9A7C9.  Application  to  mail  at  Periodicals 
postage  rate  is  pending  at  Framingham,  MA 
01701,  and  at  additional  mailing  offices. 

Permissions 

Copyright  2002  by  CXO  Media  Inc.  All  rights 
reserved.  Reproduction  of  material  appear¬ 
ing  in  CSO  is  forbidden  without  written  per¬ 
mission.  Send  all  requests  to  Permissions 
Department,  CSO,  492  Old  Connecticut 
Path,  P.O.  Box  9208,  Framingham,  MA 
01701-9208. 

Photocopy  Rights 

Permission  to  photocopy  for  internal  or  per¬ 
sonal  use  or  the  internal  or  personal  use  of 
specific  clients  is  granted  by  CSO  for  users 
through  the  Copyright  Clearance  Center, 
provided  that  the  base  fee  of  $3  per  copy  of 
the  article,  plus  $.50  per  page  is  paid 
directly  to  Copyright  Clearance  Center,  27 
Congress  Street,  Salem,  MA  01970.  Please 
specify:  ISSN  1540-904x.  Permission  to 
photocopy  does  not  extend  to  contributed 
articles  followed  by  this  symbol:  if. 

Subscriptions 

Address  inquiries  to  CSO,  P.O.  Box  3482, 
Northbrook,  IL  60065:  866  354-1125.  CSO  is 
free  to  qualified  information  executives.  To 
all  others  the  one-year  basic  rate  is  $64.95 
for  the  United  States  and  Canada,  $105  to 
foreign  countries  (payable  in  U.S.  funds 
only).  The  single  copy  price  is  $6.95.  Please 
allow  four  to  six  weeks  for  new  subscrip¬ 
tions  to  begin. 

Change  of  Address 

Please  go  to  www.omeda.com/custsrv/cso 
and  follow  the  online  instructions. 

Postmaster 

Send  change  of  address  to  CSO,  P.O.  Box 
3482,  Northbrook,  IL  60065.  Printed  in  the 
USA. 


Index  of 
Companies  and 
Advertisers 

Page  numbers  refer  to  the  first  page  of  the 
article(s)  in  which  the  company  is  men¬ 
tioned.  This  index  is  provided  as  a  service  to 
readers.  The  publisher  does  not  assume  any 
liability  for  errors  or  omissions. 


Company  Index 

America  Online  Inc . 15 

Baylor  Health  Care  Systems . 30 

Catbird  Networks  Inc . 59 

Communicator  Inc . 15 

ConocoPhillips  . 46 

Datakey  Inc . 24 

Deltanet  Inc . 52 

Exodus  . 15 

FedEx  Corp . 38 

First  Union  Corp . 38 

Fleishman-Hillard  Inc . 38 

F-Secure  Corp . 15 

Giga  Information  Group  Inc . 59 

Global  Integrity  Corp . 52 

Goldman  Sachs  Group  Inc.,  The  . 15 

Hewlett-Packard  Co . 15 

IBM  Corp . 15 

International  Data  Corp . 15,  59 

In-Stat/MDR  . 59 

J.P.  Morgan  Chase  &  Co . 15 

Marion  Bank,  The  . 59 

MassMutual  Financial  Group  . 46 

Merrill  Lynch  &  Co.  Inc . 15,  38 

Microsoft  Corp . 15,  59 

Morgan  Stanley  . 46,  52 

Predictive  Systems  Inc . 52 

Prudential  Financial  Inc . 52 

RSA  Security  Inc . 24 

Salomon  Smith  Barney  Holdings  Inc.  .  .  .15 

Sanford  C.  Bernstein  &  Co.  LLC  . 15 

Secure  Network  Operations  Inc . 15 

SPI  Dynamics  Inc . 59 

Symantec  Corp . 59 

TruSecure  Corp . 15 

USAA  . 38 

VeriSign  Inc . 59 

W.L.  Gore  &  Associates  Inc . 52 

Wachovia  Corp . 38 

WorldCom  Inc . 24 

Yahoo  Inc . 15 

Yankee  Group,  The  . 15 

Advertiser  Index 

ADT . 27 

Avaya  . 45 

BearingPoint  Inc . 7 

Checkpoint  Software  . 34 

Computer  Associates  Inti.  Inc . 5 

CXO  Media  Inc . 58,  63 

CyberGuard  Corp . 17 

GROUP  . 55,57 

IBM  Corp . C3,  22 

Information  Security  Executive  Awards  .65 

Lancope  Inc . 29 

LG  Electronics  USA  Inc . 14 

LJ  Kushner  &  Associates  LLC  . 21 

NEC  Solutions  . 19 

NetScreen  Technologies  Inc . 11 

Nokia  . 12 

OKENA  . 51 

Peerstone  Research  . 67 

PentaSafe  . C4 

PricewaterhouseCoopers  . 9 

SAVVIS  . 37 

ServerVault . 61 

Symantec  Corp . 2 

TippingPoint  Technologies . C2 

Unisys  Corp . 25 


66  www.csoonline.com  November  2002 


ERPand  CRM 


Included  Are: 


numma'iiniv 

Peer  Review 


Hie  Truth  About 

rise  Software... 

as  Only  Your  Peers  Can  Tell  It. 

Trying  to  take  the  guesswork  out  of  implementing  an  ERP  or 
CRM  application  may  seem  like  an  impossible  task.  Between 
evaluating,  negotiating,  budgeting,  selecting,  and  executing 
the  plan,  the  "unknowns"  can  seem  daunting,  and  the  process 
never-ending. 

TURN  TO  YOUR  PEERS  — who  have  walked  this  path  before 
you— for  advice.  The  2002  ERP  and  CRM  Vendor  Scorecard 
from  Peerstone  Research  captures  the  challenges,  benefits, 
and  advice  from  the  true  experts  — 163  Enterprise  Application 
users  — real  practitioners  whose  experience  will  help  you  make 
the  right  decision  for  your  enterprise. 

For  only  $795,  the  2002  ERP  and  CRM  Vendor  Scorecard  is 

delivered  right  to  your  desktop  giving  you  immediate  access  to 
the  information  you  need.  Looking  for  peer-based  ratings  for 
enterprise  software  Systems  Integrators?  See  our  companion 
report,  the  2002  Systems  Integrator  Scorecard.  Printed 
copies,  volume  pricing  and  site  licenses  available  — see  our  web 
site  for  more  information. 


Your  peers  grade  the  big 
4  ERP/CRM  vendors'  performance  on 
features,  ROI,  software  quality,  ease  of 
integration,  and  vendor  services. 


Reviews  of  the  vendors  and 
verbatim  comments  from  your  peers  — 
both  pro  and  con— for  each. 


Find  out  what  your  peers  are 
saying  about  enterprise  applications' 
ability  to  create  value,  how  to  derive  the 
maximum  benefit  from  ERP  or  CRM,  and 
all  the  other  implementation  questions 
keeping  you  up  at  night. 


fuTlrjjf»S 


ERRndCRf 

Vendor 

Scoreca 


F’eer  jiuoe: 


•■••(MlMlIr  » 


RESEARCH 

In  association  with  CXO  Media  Inc.,  publisher  of  CIO  and  Darwin  magazines 


FOR  EXECUTIVE  DECISION  SUPPORT  TOOLS,  VISIT  THE  CIO  STORE-THE  CIO’S  KNOWLEDGE  MARKETPLACE 

www.theCIOstore.com 


The  Big  Picture 


Significant  Moments  in  Security  History 


March  15, 44  B.C. 

Julius  Caesar’s  bodyguard 
uses  his  mother’s  maiden 
name  as  password  to 
Senate  meeting.  Brutus 
easily  gains  entree  and  he, 
too,  assassinates  Caesar. 


Fall  1066 

William  the  Conqueror 

takes  advantage  of 
misconfigured  firewall. 
Saxons  use  too  much 
hot  tar,  accidentally  burn 
down  their  own  fort  at 
Hastings.  King  Harold 
loses  England. 


July  1780 

Longtime  disgruntled 
employee  Benedict 
Arnold  steals  intellectual 
property  from  his  em¬ 
ployer,  America,  to  help 
England  gain  West  Point 
and  Hudson  River. 
America  intercepts  the 
espionage  and  eventually 
becomes  a  superpower. 
Meanwhile,  the  sun  sets 
on  British  Empire. 


Oct.  30, 1938 

T  wenty-three-year-old 
genius  Orson  Welles 
perfects  social  engin¬ 
eering  with  War  of 
the  Worlds  broadcast; 
scares  the  bejeezus 
out  of  entire  nation. 

Nation  reciprocates 
three  years  later,  denying 
Citizen  Kane  eight  Oscars, 
including  Best  Picture. 


Sept.  4, 2000 

Presidential  candidate 
George  W.  Bush  forgets 
to  encrypt  a  message 
to  vice  presidential 
candidate  Dick  Cheney 
in  which  he  calls  a 
reporter  “a  major-league 
&%&$#!.’’  Entire  nation 
hears,  elects  Bush  leader 
of  the  free  world  anyway. 


68 


www  csoonline.com  November  2002 


ILLUSTRATION  BY  N.  ASCENCIOS 


software 


MANAGEMENT 


PLAY 


SECURITY 


(e)  business  is  the  game.  Play  to  win ,™ 


1  ]  WIN  WITH  SECURITY:  It  isn’t  always  about  hackers,  e-business 
security  must  also  ensure  that  only  the  right  users  (within  and 
outside  of  your  company)  get  the  right  information  at  the  right  time. 


2]  WIN  WITH  TIVOLI:  Whether  it’s  granting  access  to  customers  or 
CEOs  on  PDAs,  Tivoli  Security  Management  software  centrally 
secures  and  manages  your  network  across  multiple  platforms.  Tivoli. 
Part  of  our  software  portfolio  including  DB2?  Lotus®  and  WebSphere® 


3]  MAKE  THE  PLAY:  Visit  ibm.com/tivoli/secure  for  a  white 
paper  on  how  Tivoli  Security  Management  can  maximize  your  ROI. 


re.  the  e-business  logo  and  e-business  is  the  game.  Play  to  win  are  registered  trademarks  or  trademarks  of  International  Business  Machines  Corporation  in  the  United  States 

IM  Corporation.  AH  rights  reserved.  |  I  _ — . . 


1111 


"V"  is  for  VigilEnt  Integrated  Security 
Management  Solutions  from  PentaSafe. 


TERRY  MCMULLEN,  General, Manager, 
Jack  Henry  &  Associ^^tv.vAWo 
PentaSafe  custottwvvw^ 


*  I 


Jack  Henry  &  Associates  is  VigilEnt  with  PentaSafe. 


VigilEnt 

Integrated 

Security 

Management 


L  Intrusion 

Vulnerability 

k  Management 

Management  A 

r«/>, 


>a9er 


PENTASAFE  SOLUTIONS 


As  General  Manager  of  Electronic  Services  at 
Jack  Henry  &  Associates,  I'm  responsible  for 
the  data  processing  of  hundreds  of  banks  and 
financial  institutions  nationwide.  Our  business 
and  our  clients  demand  the  highest  security 
standards.  Since  1999,  we've  relied  on 
PentaSafe's  VigilEnt  software  to  help  us  secure 
millions  of  transactions  everyday. 

See  for  yourself  how  PentaSafe  security 
solutions  can  help  you  become  more  vigilant 
in  managing  security  across  your  enterprise. 


Want  to  find  out  more  about 
PentaSafe's  VigilEnt  Integrated 
Security  Management  Solutions? 

Go  to  www.pentasafe.com  to: 

■  Register  for  an  Executive  Security  Briefing, 
featuring  Gartner  Group's  John  Pescatore. 

■  Download  our  free  "Integrated  Security 
Management"  whitepaper 

A 

yfzi 

PentaSafe 

The  safest  way  to  grow  your  business. 


